Do we really care if our users' password "password1" is cracked? If we're not going to enforce complex passwords then trying to fight brute force cracks is pointless. They can just check the 1000 most commonly used passwords and net a tenth of the accounts. On the other hand, enforcing a strong password would make it virtually impossible no matter what the algorithm.