Wired has an article this week asking "Do You Really Need a Password You Can Barely Remember?"
To researchers Cormac Herley and Paul C. van Oorschot, the computer industry’s non-stop campaign to force us to to strengthen our passwords is misguided — demanding too much work from users for the benefits it delivers...According to Wikipedia, a brute force attack may involve testing 2^56 permutations per second. How can a host site allow such to occur? Anyway, further details at Wired (which is the via for the xkcd cartoon)
...“brute force” attacks [have] become very effective. A modern computer can quickly generate billions and billions of password combinations until one of them finally works. This is the attack that you’re repelling with that long, complicated, hard-to-remember password.
But, for websites, there’s an easier way. They can just pop up a captcha page, or force the user to wait a few minutes after a handful of failed login attempts. This type of login throttling is enough to thwart a brute force attack on the website’s login page.
It seems to work. Many heavily trafficked websites — including sites that get targeted by fraudsters all the time — let you set up accounts with mind-numbingly simple passwords. You can set up an Amazon.com account with the password “aaaaaa.” That would be guessed in seconds using a brute-force attack, but Amazon allows it...
Some even say that it’s perfectly fine to use weaker passwords in some cases. Sure, you want a unique and extremely strong password for online banking, but do you really need to go iron-clad when you’re coming up for a login to PBS Kids?..
It’s a controversial topic in the computer security field. After spending 20 years hammering home the message that complex passwords are important, who would want to admit that the whole thing might be a little overblown?
Addendum: Tx to readers for comments, including pointing out that the numbers above re brute force attacks are theoretical. Read the comments for additional insights.