It's easy to defeat bruteforce.

Instead of using the password for account, use the password as an input for PBKDF2 with number of iterations inversely related to password's length.
The relation: one second for safe passwords, longer for unsafe, let's say it's 15 second for something like "apple".

This makes bruteforcing much harder even for short passwords.

It's possible to add a second simple field, even an user's real name, and use it as a salt. The combination would make bruteforcing almost impossible.

For compatibility with other accounts, it's enough to add a checkbox 'use older password system'.

I can implement this in JS. Jitted JS in new browsers is fast enough. I asked Jean-Luc if he would include this if I did (no point writing only for myself - I have a secure password) but he wasn't interested.  

https://forums.nxtcrypto.org/viewtopic.php?f=17&t=557