All about passwords

Continuing my quest to get into the subtleties of security and measures to protect against 'bad guys.' I came across an interesting article in the New York Times, about choosing passwords. One of the fundamental questions that i grapple with is the right way to think about the tradeoff between measures to protect against 'what might happen' and the ill effects or unintended consequences of those measures on real life. Typical example: if you require people to have long complicated passwords to protect their logins, they end up writing them down or emailing them around which is a lot worse. Anyway, here's a bit from the article:

"At the Usenix Workshop on Hot Topics in Security conference, held last month in Washington, the three suggested that Web sites with tens or hundreds of millions of users, could let users choose any password they liked — as long as only a tiny percentage selected the same one. That would render a list of most often used passwords useless: by limiting a single password to, say, 100 users among 10 million, the odds of an attacker getting lucky on one attempt per account are astronomically long, Mr. Herley explained in a conversation last month." (from The New York Times)