A New York Times article explains something that has long puzzled me: why are institutions where security really matters so lax about passwords, while the corner store requires long, ever-changing, combinations of  upper and lower case, alphanumeric and non-alphanumeric characters? Why are my credit union and my bank satisfied with a four-digit numeric PIN, which they never make me change? The answer, according to a number of security experts interviewed by the Times, is that passwords don't need to be strong or constantly changed. Worse, "[O]nerous requirements for passwords have given us a false sense of protection against potential attacks. In fact,...