It makes sense in a way.

Would you rather take your chances as one in one million customers getting his "hunter2" password brute-forced by a dedicated attack or as one of the one million customers totally pwned by a buffer overflow/code injection from the password field?