Think of a word. A password. Make it at least eight characters long, but no more than 12. Don’t repeat any characters more than twice. Make sure it has at least one letter, and one number. In fact, it has to start with a number. You can’t use a user name or any password you’ve tried in the past. And finally, you have to use one of these characters somewhere in your password: ~!@#$%^&*()-_+={}[]\|;:/?.,<>.

And try to make it memorable. You shouldn’t write it down, but you may need it again in a few months, when you come back to the website.

Feeling flummoxed? Security experts tell us that we’re supposed to make our passwords hard to guess, but some websites take a cruel delight in forcing us to come up with impossible-to-guess (or remember) passwords.

The requirements above are for a real website. They were written by security geeks at the U.S. Customs and Border Protection agency for people who want to sign up online for the agency’s Trusted Traveler program, a way for frequent fliers to skirt long immigration lines.

To researchers Cormac Herley and Paul C. van Oorschot, the computer industry’s non-stop campaign to force us to to strengthen our passwords is misguided — demanding too much work from users for the benefits it delivers. “Security is a secondary task to users, whereas many websites and providers seem to think users have a lot of spare capacity they enjoy spending on … extra work,” says van Oorschot, a computer science professor at Ottawa’s Carleton University.

In a new research paper, van Oorschot and Herley, a Microsoft researcher, say that IT pros often get things backward when it comes to instructing us on password security. That’s because password advice usually neglects the really scary and effective attacks. “Users are bombarded with information on how to choose strong passwords. They receive a steady, though less extensive, stream of advice about phishing,” they write in their paper. “As for keystroke-loggers, there is little beyond suggestions to run antivirus programs and keep software patched.”

In other words, users get easy answers rather than the information they really need to hear.

The World’s First Data Breach?

Password problems have been around since the 1960s. Perhaps the first documented password compromise happened in 1966, on the legendary Compatible Time-Sharing System, at the Massachusetts Institute of Technology. The CTSS was an IBM 7094 mainframe, tweaked to allow for a new type of multi-user, interactive programming. When CTSS was built, computers would run programs in one big job, doing every step at once, but the CTSS let more several users log in and program at the same time. With multi-user programming, came passwords.

One day, a software bug mixed up the welcome message displayed to users of the system with its password file. “Any user who logged in, found that instead of the usual message-of-the-day typing out on his terminal, he had the entire file of user passwords instead,” said CTSS project leader Fernando J. Corbató, recalling the incident 25 years later. “This went on for 15 or 20 minutes until one particularly conscientious user called up the system administrator.”

Everyone’s password had to be reset. Of course, it happened on a Friday at 5 p.m., the witching hour for technical glitches.

That incident was cited in a very influential 1979 paper on password security, written by Unix heavyweights Robert Morris and Ken Thompson. In it, they describe what they call a “key search” attack — where the attacker guesses different passwords over and over again until one of them works. Nowadays, we call these attacks “brute force” attacks, and with today’s powerful microprocessors, they’ve become very effective. A modern computer can quickly generate billions and billions of password combinations until one of them finally works. This is the attack that you’re repelling with that long, complicated, hard-to-remember password.

But, for websites, there’s an easier way. They can just pop up a captcha page, or force the user to wait a few minutes after a handful of failed login attempts. This type of login throttling is enough to thwart a brute force attack on the website’s login page.

It seems to work. Many heavily trafficked websites — including sites that get targeted by fraudsters all the time — let you set up accounts with mind-numbingly simple passwords. You can set up an Amazon.com account with the password “aaaaaa.” That would be guessed in seconds using a brute-force attack, but Amazon allows it.

In another paper, Microsoft’s Herley concludes that many of the largest and most heavily attacked websites do just fine with pretty weak password policies, while other obscure government and university sites are draconian. Why? Because the governments and university sites simply didn’t care as much about about how hard they were to use. “When the voices that advocate for usability are absent or weak, security measures become needlessly restrictive,” write Herley and another Microsoft researcher Dinei Florêncio.

While everyone agrees that it’s a good idea to have strong passwords, increasingly, computer scientists say that strong passwords aren’t as important as they were back when Thompson and Morris wrote their groundbreaking paper. Some even say that it’s perfectly fine to use weaker passwords in some cases. Sure, you want a unique and extremely strong password for online banking, but do you really need to go iron-clad when you’re coming up for a login to PBS Kids? Why not just use a hard-to-guess combination of words?

“It’s not that people can’t do password-guessing today, but it’s no longer the really serious vulnerability,” says Steven Bellovin, professor of computer science at Columbia engineering school. If you’re worried about having your password compromised, worry about phishing and keylogging, he says.

If a criminal is going use a password to break into a company and steal data, the odds are that he’s going to use a default password — this is a huge problem for remotely managed cash register systems — or a password that’s been stolen via key-logging software, says Bryan Sartin, a director of investigative response with Verizon Business. “Of all passwords we see compromised — those specifically related to initial point of intrusion — most are not cracked at all,” he says. “They are already known.”

This reuse of passwords is a huge problem for consumers too. Websites can block repeated login attempts, but what if they get hacked? “If a site is compromised and people brute force those passwords, and those passwords have been used elsewhere, then you’re in trouble,” says Stefano Zanero, president of Secure Network, a security consultancy based in Milan.

The Password Zombie

A big part of the problem, Herley and van Oorschot argue, is that the computer industry so thoroughly wrote off passwords about a decade ago, that not enough serious research has gone into improving them and understanding how they get compromised in the real world.

Blame it on Bill Gates.

Eight years ago, Bill Gates predicted that computer passwords were not long for this world. They were the weak link in computer security he said, adding: “There’s no doubt that over time people are going to rely less and less on passwords.”

Gates thought we’d be using Smart Cards or RSA SecureID tokens to securely log in wherever we wanted to go. This is what’s known as two-factor authentication. You log in with something you’ve memorized (your password) and then to make things extra-secure you also use a second thing — something you have in hand (a smart card,say, or an RSA token).

In the trade press, Gates’s prediction was reported as the death knell for passwords. And then eight years went by. During that time, Facebook, Twitter, and Wikipedia added hundreds of millions of users — all of them logging in with plain old passwords — without a single smart card or RSA token. Even Microsoft’s heavily promoted Cardspace easy authentication software was a flop.

The password has not died. It has thrived. We have passwords for our local news sites, passwords to watch movies online, passwords for our e-mail, and for our social networking.

Passwords have given websites a cheap and relatively secure way to quickly sign up millions of users, but the computer industry needs to treat them with a little more respect. Herley and van Oorschot write that “the premature conclusion that passwords are dead has led to the neglect of important research questions.”

They say we need better research into where it makes sense to use passwords, how to make them easier to use, and how much money password compromises really cost. And what about the cost to password users? In another paper, Herley estimates that the time spent managing complex passwords could cost U.S. businesses billions of dollars in lost productivity each year.

It’s a controversial topic in the computer security field. After spending 20 years hammering home the message that complex passwords are important, who would want to admit that the whole thing might be a little overblown?

Without giving any explanation, Microsoft wouldn’t allow Herley to be interviewed for this article.

But Herley and those who think like him are gaining supporters. “He’s upsetting some people with his positions that go against the conventional wisdom, but in general I think he’s right,” says Bellovin.