We at PhantomFrog have always maintained that the ONLY
TRUE litmus test of a password protection system (whether its
ProxyPass, Pennywize, Strongbox) is whether the stolen passes
that are published on password trading sites are WORKING!!! If
you can find working passes there, then the password protection
system you're using is failing to do its job. Period.

There are also webmasters who voluntarily plant passwords to
entice leechers to join their site. Any webmaster doing this
would obviously ignore or exempt his planted passes
from being blocked.

Just go to wt50.com and you'll find a well organized index of
password trading forums. And those are just the public ones.
There are also private paid membership ones as well where
leechers pay so the stolen passwords have a longer lifetime.
Many of these forums have been closed only to re-open under
a different domain and host with their entire leecher membership
intact. So, closing them down only makes the snake rear its ugly
head in a different spot. The solution is to block and change the
stolen passwords. If the hackers and leechers who frequent
these trading forums only find dead passwords, they will become
frustrated and turn their attention to improperly protected sites.

I have personally observed discussion threads between hackers
who are tearing their hair out about why previously wide open
sites have suddenly become unexploitable for stealing passwords.
Those sites had recently installed Phantom Frog. Its nice to turn
the tables and have the hackers, instead of the webmasters, be
the ones who are losing sleep!!!

You can install a Free Trial version of the system to evaluate it
for yourself.