Yes, and enforcing long passwords is the primary and most important way of dealing with it. Enforcing ridiculously high CPU/RAM use for authenticating is a cost that both sides have to pay, but in itself it doesn't solve the problem at hand.