"Evolution has wired us to find it easier-to-remember gossip and stories about hunting bison than strings of characters, so we cheat by choosing the shortest and easiest to recall we can get away with."
On a slight tangent from the main point of the article, the standard response to moaning about passwords is to be told "use a password manager". I've discovered that so far, at least, they're good for storing things, but really are not as convenient as they should be in terms of how they integrate both with systems requesting authentication, and with cross-platform support.
For example, most password apps allow you to auto-generate a password for a web site (a good long random(isj) mix of character types creating an utterly unmemorable password). That's fine, but now I MUST have that password written down (stored in the manager) for that site. Next time I go to that site, I have to find that password in my manager. Some will spot that I'm on the site and offer up a shortcut to go get the password; some will enter it for me once I find it; and - many fewer - will spot that I'm on the site and automatically log me in. So far so good, but now I'm on my iPhone and want to log in. First of all, using a complex password to protect my password manager is a pain on a mobile device's soft keyboard, which is an immediate turn off - all those special characters and upper/lower case shifts makes a 12-character password require 22 keypresses to complete. Then I have the same problem - the best I might achieve is to find the site entry, copy it, then go back to the browser and paste it in. It's a very cumbersome process.
I've worked with one SSO system in the past, and it was quite good - login when you bootup and after that it was able to log in to almost every system on your behalf. Certainly almost every website authentication request could be managed, and even some apps. That's what I need on my phone too, plus automatic cloud sync between my phones and computers (I have mac, PC, iPhone and Windows Phone, so I need cross-platform support). When that comes, I don't mind having a highly complex password for my SSO manager and complex passwords for every site, because I only have to login to my SSO once per session. Oh - and yes, this does rather imply on a mobile phone that a PIN and automatic screen lock is a necessity, and that automatic password-protected screen savers were likewise a necessity on computers. Add to that the concept that a single login failure should trigger a logout of the SSO client so that brute forcing wouldn't get you access to a system with SSO enabled, and we have something that might actually be vaguely usable. Let me know when you find that, would you?