“These requirements keep out the good guys without deterring the bad guys,” he said.

Northwestern has reduced its password requirements to eight, but they still constitute a challenging maze. For example, the password can’t have more than four sequential characters from the previous seven passwords, and a new password is required every 120 days.

By contrast, Amazon has only one requirement: that the password be at least six characters. That’s it. And hold on to it as long as you like.

A short password wouldn’t work well if an attacker could try every possible combination in quick succession. But as Mr. Herley and Mr. Florêncio note, commercial sites can block “brute-force attacks” by locking an account after a given number of failed log-in attempts. “If an account is locked for 24 hours after three unsuccessful attempts,” they write, “a six-digit PIN can withstand 100 years of sustained attack.”

Roger A. Safian, a senior data security analyst at Northwestern, says that unlike Amazon, the university is unfortunately vulnerable to brute-force attacks in that it doesn’t lock out accounts after failed log-ins. The reason, he says, is that anyone could use a lockout policy to try logging in to a victim’s account, “knowing that you won’t succeed, but also knowing that the victim won’t be able to use the account, either.” (Such thoughts may occur to a student facing an unwelcome exam, who could block a professor from preparations.)

VERY short passwords, taken directly from the dictionary, would be permitted in a password system that Mr. Herley and Stuart Schechter at Microsoft Research developed with Michael Mitzenmacher at Harvard.

At the Usenix Workshop on Hot Topics in Security conference, held last month in Washington, the three suggested that Web sites with tens or hundreds of millions of users, could let users choose any password they liked  as long as only a tiny percentage selected the same one. That would render a list of most often used passwords useless: by limiting a single password to, say, 100 users among 10 million, the odds of an attacker getting lucky on one attempt per account are astronomically long, Mr. Herley explained in a conversation last month.

Mr. Herley said the proposed system hadn’t been tested and that users might become frustrated in trying to select a password that was no longer available. But he said he believed an anything-is-permitted password system would be welcomed by users sick of being told, “Eat your broccoli; a strong password is good for security.”