The gap between the effort needed to withstand online and offline password guessing attacks is enormous, and there's a large gap where increasing cracking resistance leads to no change in outcomes. On many networks there's also a snowball effect, where an attacker with x% of credentials controls much more than x% of network resources; this also gives a large region where increasing cracking resistance accomplishes nothing. This talk examines the administrator's task of defending a population of users from password cracking, what does and doesn't make sense, and where we are wasting our time (spoiler alert: almost everywhere.)