"This is stunning in light of the fact that today’s brute-force cracking software and hardware can unscramble those passwords in seconds."
Really? Most decently secure places these days have various forms of rate-listing. On every bank I've seen, if any sort of software was attempting to break into an account using that as a list, they couldn't get as far as "12345678" (3 attempts, contact bank in person prove who you are, maybe have to visit bank), and certainly would hit significant delays before they could reach "password"
And if they manage to get the accounts/password database(s) from the bank and break that, you're long overdue for changing banks. Actually, the breaking it could be relatively trivial, it's the getting it that is the issue.
Rate limit login attempts, block at 3-5 attempts, consider carefully how secure the "reset password" function you provide should be, and use some sense with password limits, and teach people about decent password manager (if such a thing truly exists?)/notebook use.
And FFS STOP using easily discoverable "security questions" like "mother's maiden name" and "fist school" and "first car" and idiotic insecure stuff like that. Most social-media types will have all of that plastered all over publicly viewable places, and family members will certainly know (sometimes you want to keep your kids out of certain parts of your computer!). At the very least give people the option of choosing their own, and force at least one "own choice" that must be coupled with a provided choice if you really must provide choice.
(Last time I checked, the NZ Governments "Real Me" site, used for logging in to the tax dept, benefits/pensions etc dept, IIRC companies office/registry and various other things had 4 choices for security question consisting of first pet, first school, oldest sibling and first vehicle, with no other options including no self-set option. I left them a nasty gram and demanded and do all of that stuff in office.)
(El Reg : PLEASE FIX THIS CAPTCHA CRAP! I don't let any js from google run, and every time I have to enter one the text of the post is lost, it just takes be back to a blank page. I've already authenticated with you, if someone else has my password then a captcha isn't gonna stop them! For now have to use http rather than https coz https is broken on El Reg!)