Indeed. Their FAQ says as much in question 6, and question 7 tries to make it out as though it maintaining a separate (actually secure?) honeychecker actually worthwhile pursuit, because then attackers who don't bother to look at your login code after compromising your box can sometimes be detected. It seems like a bit of a longshot, though. I would expect the attacker to be at least a little curious as to why each user has 20 passwords.