This means hackers can trivially brute force passwords against any account they like. Normally each password submission must go to a server and the server can rate-limit hackers. With Steemit your password is your private key. Attackers can try millions or billions of passwords per second. An 8 character password could be brute forced in a couple of days assuming it was perfectly random.

what about hard code on steem a 1-3 second delay after password is asked before accepting it? Like keepass makes with "Key transformation"....