You make my point well – a “strong” password is not going to protect against that type of attack at all – you are better off picking a pseudo-strong one (i.e. one that can survive a handful of guesses) that can be memorized and logging the hell out of the system. And the more obvious solution is multi-factor authentication.

But there is little/no need to even get that complex. Consider the recent case with MySpace passwords being collected through a phishing attack – in that case, it doesn’t matter if your password is 50 alpha-numeric random characters – you’re dead.

In general, I agree, in that weak passwords aren’t what’s going to be causing new troubles.

However, given all the functionality/vulnerability that Web 2.0 is opening up, I think we could be surprised by just comes in the future.

Imagine, for example, a CSRF attack distributed by XSS, essentially turning millions of browsers into millions of password-guessers.

(Of course, you could legitimately ask why they aren’t using their botnets for that right now. My point is that since the attackers have shown that their imaginations generally outstrip ours, declaring any particular vector as over-and-done seems premature.)