Passwords are a necessary evil for system security, but they need not be as evil as some organizations require them to be. Even “trivial” passwords can be secure, if their system-wide use is policed.

That’s the conclusion of a pair of Microsoft researchers and a Harvard computer science professor reached in a paper expected to to be presented at the Hot Topics in Security workshop to be held in Washington, D.C. next month. The trio–Stuart Schechter, Cormac Herley and Prof. Michael Mitzenmacher–maintain that users can be allowed to adopt simple passwords as long as too many of them aren’t allowed to adopt the same password.

“We propose to strengthen user-selected passwords against statistical-guessing attacks by allowing users of Internet-scale systems to choose any password they want–so long as it’s not already too popular with other users,” they write in Popularity Is Everything: A New Approach to Protecting Passwords from Statistical-Guessing Attacks.

One reason organizations impose password creation rules is to protect their users from brute force “dictionary” attacks. If a password can be found in a dictionary, then sooner or later a hacker will crack it. Passwords made up of non-words can foil such attacks. Passwords made up of hellacious combinations of upper- and lowercase letters, numbers and symbols are better yet. The problem for users, though, is that, for most of them, the most secure passwords are the hardest to remember.

Rather than modify user behavior–which is to damn security and choose as simple a password as possible–security pros often deploy a “three strikes and you’re out” lockout system to foil password horde attacks by hackers. With that system, if a password is entered incorrectly three times, the person attempting to log in to the account is locked out of it for a brief period of time. Crackers, who are great students of human behavior, quickly figured out a workaround to lockout schemes. The workaround has to do with how users choose passwords.

In an analysis of some 32 million pilfered passwords performed earlier this year by a security firm, it was discovered that 60 percent of the users chose passwords made from a limited set of alpha-numeric characters. Worse yet, 50 percent of the passwords were names, slang, dictionary words or trivial passwords, such as 123456 or “Password.” Internet grifters are well aware of those tendencies among users. So what they do is rather than trying to direct thousands of attempts at an account to crack its password, they take the most common passwords used by users and direct them at thousands of accounts. Not only does that skirt lock-out defenses, but it’s much more efficient than a brute force dictionary attack.

That kind of common password attack, though, can be blunted by adopting the methods proposed by the authors of Popularity Is Everything. Their system calls for limiting the number of times a particular password can be used. So even if an intruder guesses a correct password, he or she would only be able to compromise a handful of accounts at the most.

“Replacing password creation rules with popularity limits has the potential to increase both security and usability,” the researchers contend in their paper. “Since no passwords are allowed to become too common, attackers are deprived of the popular passwords they require to compromise a significant fraction of accounts using online guessing.”

“We conjecture that usability also increases,” they continue. “System designers no longer need to create increasingly complex password-selection rules with no guarantee that they will result in truly strong passwords. Users needn’t read, learn, or interpret these rules. Instead, users are only inconvenienced when their password choice is one that would lead to a [quantifiable] unacceptable level of vulnerability to a statistical guessing attack.”

Although the password philosophy advocated by the researchers has yet to undergo close scrutiny from the security community, steering users away from common passwords has gained some traction at one of the largest social networks on the Internet.

“Twitter, in responding to an online password guessing attack that exploited their failure to lock out guessers, now forbids 390 of the most common passwords,” the researchers noted. “It would appear that Twitter decided that this inconveniences their users less than the introduction of cumbersome password policies.”