Yes, I deliberately didn't say it was _exactly_ a long password. I was more trying to get across the single-factor side of it.

In any case, if the service handles passwords properly and the user generates one password per service (both wild far-out concepts unfortunately), leaking the salted hash would not matter.