I thought exactly the same thing: what point is the author trying to prove? Also it would help if the question was linked - users with 10k+ rep can still see it.
> Note that final gem: "YOU SHOULDN'T BE PROTECTING PEOPLE WITH SILLY PASSWORDS". So he's throwing what, more than half his users, under the bus...
On the one hand, with a decent password manager it is pretty easy to avoid silly passwords. For most sites that require a password, I am never going to need to login to those sites except from my home desktop, my work desktop, and my mobile devices. My password manager (1Password) works and syncs with all of those, so I'm fine.
1Password is commercial, but there are free password managers that achieve the same result, I believe.
On the other hand, there are some times when a strong password is annoying. Spotify, for example. I have a strong password there, and when I got a receiver that had Spotify support it was a real pain to enter that password. 1Password (or any other password manager as far as I know) does not have a version for Denon receivers! I had to look up the password, and then enter it via the receiver remote and on-screen keyboard. Every time there was a transition of case or between alphabetic and punctuation, it would take several button presses to switch the keyboard mode. Ugh! It took something like 10 minutes to enter that password.
My receiver also has SiriusXM, Pandora, and Flickr support. I don't use any of those, but someone who did would have 3 more passwords to enter. And then there is my Blu-Ray player, with Amazon Prime support, Netflix support, VuDu support, and a whole bunch of others. (Seriously, there are at least 50 services in the "video" section, and a whole bunch in the "audio" section. Some of those are services that don't require a login, but many do).
It would be extremely annoying to try and enter strong passwords for all those. Until a better way is found to provide these kind of services on receivers, Blu-Ray players, game consoles, and such it will be hard to get people to use strong passwords.
I've seen one service do it a right way. I gave the device my account name. The device talked to the service, and then showed me a 5 digit or so number. I then had to go to the service's web site, and enter that number. The device was then linked to my account. Presumably, the device and the service worked out some kind of credential that the device would use on subsequence accesses to prove its identity.
My conclusion is that ===IF=== we can do passwords right everywhere on the client side, then we could indeed stop worrying about weak passwords on the server, and so maybe just storing a hash would be good enough (it wouldn't even need to be salted). Using scrypt or bcrypt would just be a waste of server resources.
But that's a big if. We aren't there yet. I don't know if we'll ever get there. There's no technical reason we can't get there, but it might require the cooperation of too many interests with too many ego issues and territorial issues.
