...
As one group of researches points even weak passwords are secure when there is a limit on the number of failed attempts [10]. This is why bank card PIN numbers are secure even though they only have 13 bits of entropy. With an enforced exponential backoff for failed attempts an attacker will have less than a few dozen attempts per year. With so few attempts only the most common passwords would be hacked. A system that blocks users from selecting the most common passwords combined with exponential backoff would be secure even when users choose "weak" passwords.
...