However, Herley says, there are no plans to implement the new scheme in any Microsoft products yet. "We can't speculate on Microsoft product plans," he says. "Right now we're just putting it out there to get feedback from the security research community."

Over the past few years, researchers in the emerging field of "usable security" have taken a hard look at many information security practices and found many of them lacking. For example, many computer systems will lock-out accounts if a user mistypes his password three times in a row. But seven years ago, Sascha Brostoff and Angela Sasse, two researchers from University College London in the United Kingdom, showed that increasing that number from three to 10 dramatically reduces the number of legitimate users that are locked out while having only negligible impact on a system's overall security.

Last week, more than 200 computer security researchers from around the world met in Redmond, WA, at the annual Symposium on Usable Privacy and Security to discuss approaches for making computers simultaneously more secure and more usable.

Another study by Microsoft researchers, presented at the symposium, explains why only some organizations have overly complicated passwords. The study examined password policies at 75 different websites, including the 20 top-ranked sites on the Internet, and websites belonging to banks, large universities, and U.S. government agencies. Microsoft researchers Dinei Florencio and Cormac Herley found no correlation between the value of a consumer's account, the amount of attacks that the website suffered, and the complexity of the passwords that the website operators forced on their users.

According to the study, websites where users have a choice between multiple providers--sites for banks and investment firms, for example--generally have relatively simple password requirements. These sites protect their users' assets through anti-fraud techniques, and the companies don't want to make it too difficult for their customers to log in.

Florencio and Herley found that the sites that had the most stringent password requirements were those where the users generally had no ability to shop around--sites like the U.S. Social Security Administration, the National Weather Service, and the webmail systems for several large universities. For these systems, the organizations have no monetary incentive to balance usability with security, or to find some other way of protecting user accounts.

"Most organizations have security professionals who demand stronger policies, but only some have usability imperatives strong enough to push back," the authors add. "When the voices that advocate for usability are absent or weak, security measures become needlessly restrictive."

Simson Garfinkel served on the program committee of the 2010 Symposium on Usable Security and Privacy.