I mostly agree. One thing they could have done to mitigate some of it is bar the user from creating a password that is one of the most commonly used 1 million passwords, or 10,000, etc to mitigate users using commonly used passwords that they might have used elsewhere.

Most commonly used password lists: github.com/danielmiessler/…/Common-Credentials