Instead of enforcing complex passwords, as many organizations do, the new scheme makes sure than no more than a few users can have the same password, which has a similar overall effect on security. Further research from Microsoft also reveals why only some organizations insist on very complex passwords.
Increasingly complex password requirements--rules like "passwords must be 14 characters long and contain at least two uppercase letters, two lowercase letters, and three symbols"--make it difficult for attackers to guess passwords using a so-called "dictionary attack," which involves trying many possible passwords in succession.
Without such restrictions, people tend to pick passwords that are easy to remember, easy to type--and easy to guess. For example, when 32 million passwords from the social media website RockYou were inadvertently released last December, nearly half were found to be "trivial passwords" such as consecutive digits, dictionary words, or common names, according to an analysis last January by the Web security firm Imperva.