“Passwords of any length and any change frequency are almost a waste of time as a security device. Most password attacks now are not dictionary driven, but keyboard scrapes”

Link. Is this true? Fits Apple’s 2F squeeze. Wish 2F was less of a mess.