You should note that fixing offline dictionary attacks is a current work item of the Kerberos working group of the IETF; solutions are basically understood but need to be written up and implemented.