wouldn't crazy brute for attacks like this be eliminated with simple attempt limitation? It maybe be able to do the bruteforce attacks at a megazillion per second, but if the connection is actively refused after 10 tries, what does it even matter.
You could theoretically set the limit to any amount way under the total amount of possibilities and it still wouldn't matter.
as for building passwords that are stronger, we need to move away from 8 - 12 char limits with case and special characters and force people to use complex strings that have 25 - 50 chars in them but are simple to remember for example something like "mydogsnameisfluffy" or "whydoineedacrazyasspassword" both of these are much harder to crack than "8&#sref"