Ben Brown:
I think an even better solution would be to remove the password completely, allowing users to login with only an email address. Each time a user needs to login, they enter their email address and receive a login link via email.
Read the follow-up post here.
(via Marco Arment)