Fished enough in muddy water?

Now we have a unique salt and use a slow hash-function, we are surely on the safe side now, aren't we?

Let's think about our poor users, which have to come up with new passwords over and over again, and furthermore should even remember them! Well possible, that something like bullshit or 12345 slips through.

Of course an attacker knows this as well, and it is very likely that he tries out a small collection of such weak passwords. It's also very likely that he reaches his goal in a lot of cases.

Such attacks are called dictionary attacks. With a "small" collection of chosen attempts, one tries to find a large number of passwords.