[snes]

What about not having a password at all? The user who wants to log in, request a login link to their email. And can click it within set amount of time.

Then the user only have to know the email-password. And that could be used to get a new password anyways.

Lots of sites I only visit once a year I need a new password to each time. And it would save me the trouble of making something up each time, and not remembering it anyways. And if I would try to remember it, it would likely be a password I use on another site. Which would be bad.

[repsilat]

I think you just invented OpenID. Better, because more people have email addresses than OpenID providers, and because it piggybacks on existing infrastructure. Worse, because you don't auto-redirect past the login page.

Probably a net win.