Yes, but.
Of course this is a great article about passwords.
But it doesn't address the problem of how people who get hold of a password are able to download a whole database full of stuff. I propose a look at http://solutionsny.nyc/pc-security.html. Obviously no useful data should ever be stored on-line, or accessible from an on-line system. The paper suggests how data should be made available on-line.
The paper also suggests, implicitly, that PC architecture (as it is currently implemented) may not be appropriate for a secure environment as compared to the IBM System/360 (now z/System architecture. On a S/360, all IO devices use the same hardware interface. There are no unique device drivers. The supervisor sets up the channel program to operate the device, and runs it under supervisor control. If the wrong number of characters are transferred, the problem program is cancelled. Hardware prevents buffer overruns, thus it isn't possible for a buffer overrun to corrupt problem program code and execute inappropriate code. Each problem program runs in its own address space with it's own storage protect key. Again, hardware enforced. There was quite a lot of pushback when IBM started to enforce these rules in MVS, but without them, there is no real security.