Another security question

[Paul Rubin]

Chris Angelico <rosuav at gmail.com> writes:
> Correct. However, weak passwords are ultimately the user's
> responsibility, where the hashing is the server's responsibility.

No, really, the users are part of the system and therefore the system
designer must take the expected behavior of actual users into account.
The idea is to prevent breaches, not to allow them as long as the blame
can be shifted to someone else.