Sigmajin, based on this comment and your last, I'm not sure you 100% understand the situation.
- Regarding your first comment, I'm confused because if you can recover the private key you don't need the password. Also, you are correct in assuming 16 chars can't be brute-forced attacked but it can be dictionary attacked. If it was feasible to brute-force everyone would be screwed.
- I didn't take these users money. I re-assigned control of these user's accounts to Steemit which has a mechanism allowing them to establish new (hopefully better) credentials.
- I'm curious what you would have regarded as more ethical in this instance? Would doing nothing and watching these users get robbed be as ethical as merely burdening them with the inconvience of being forced to pick a password that can't be trivially guessed?
RE: Offline Attack on Steem User Credentials