1. I suspect that a large majority of users would, as opposed to searching dictionaries, simply draw on their own vocabularies to come up with their passwords, thereby severely limiting entropy (but making for more easily remembered and, of course, cracked passwords tongue ).

2. Doesn't the "three strikes and you're out" rule followed by many, if not all, (e.g.) financial Web sites means that a hacker would have to crack a password in a non-secure location, i.e. your own machine?

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire