Some computer security experts are advancing the heretical thought that passwords might not need to be “strong,” or changed constantly. They say onerous requirements for passwords have given us a false sense of protection against potential attacks. In fact, they say, we aren’t paying enough attention to more potent threats.

Here’s one threat to keep you awake at night: Keylogging software, which is deposited on a PC by a virus, records all keystrokes — including the strongest passwords you can concoct — and then sends it surreptitiously to a remote location.

One might guess that heavily trafficked Web sites — especially those that provide access to users’ financial information — would have requirements for strong passwords. But it turns out that password policies of many such sites are among the most relaxed. These sites don’t publicly discuss security breaches, but Mr. Herley said it “isn’t plausible” that these sites would use such policies if their users weren’t adequately protected from attacks by those who do not know the password.

At the Usenix Workshop on Hot Topics in Security conference, held last month in Washington, the three suggested that Web sites with tens or hundreds of millions of users, could let users choose any password they liked — as long as only a tiny percentage selected the same one. That would render a list of most often used passwords useless: by limiting a single password to, say, 100 users among 10 million, the odds of an attacker getting lucky on one attempt per account are astronomically long, Mr. Herley explained in a conversation last month.

Mr. Herley said the proposed system hadn’t been tested and that users might become frustrated in trying to select a password that was no longer available. But he said he believed an anything-is-permitted password system would be welcomed by users sick of being told, “Eat your broccoli; a strong password is good for security.”

WASHINGTON — A top Pentagon officer has confirmed a previously classified incident that he describes as “the most significant breach of U.S. military computers ever,” a 2008 episode in which a foreign intelligence agent used a flash drive to infect computers, including those used by the Central Command in overseeing combat zones in Iraq and Afghanistan.

Plugging in the computer the cigarette-lighter-sized flash drive into an American Military laptop at a base in the Middle East amounted to “a digital beachhead, from which data could be transferred to servers under foreign control,” William J. Lynn 3d, deputy secretary of defense said, in the latest issue of the journal Foreign Affairs.

“It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,” Mr. Lynn wrote.

The incident was first reported in November 2008 by the Danger Room blog of Wired magazine, and then in greater detail by The Los Angeles Times, which said that the matter was sufficiently grave that President George W. Bush was briefed on it. The newspaper mentioned suspicions of Russian involvement.

But Mr. Lynn’s article was the first official confirmation of the incident. He also named it — Operation Buckshot Yankee — Pentagon operation to counter attack, and said that the episode “marked a turning point in U.S. cyber-defense strategy.” In an early move, the Defense Department banned the use of portable flash drives (USB) with its computers, but later they modified the ban.

Mr. Lynn described the extraordinary difficulty to protect the military digital communications over the web of 15,000 networks and 7 million computing devices in dozens of countries against farflung adversaries who, with modest means and a reasonable degree of ingenuity, can inflict outsized damage. Traditional notions of deterrence do not apply.

“A dozen determined computer programmers can, if they find a vulnerability to exploit, threaten the United States’s global logistics network, steal its operational plans, blind its intelligence capabilities or hinder its ability to deliver weapons on target,” he wrote.

Security officers also faced the problem of counterfeit hardware that may have remotely operated “kill switches” or “back doors” built in to allow manipulation from different side of the world, as well as the problem of softwares with rogue code meant to cause sudden malfunctions.

Mr. Lynn said, Against the array of threats, the National Security Agency had pioneered systems — “part sensor, part sentry, part sharpshooter” — that are meant to automatically counter intrusions in real time.

His article appeared intended partly to raise awareness of the threat to United States cybersecurity — “the frequency and sophistication of intrusions into U.S. military networks have increased exponentially,” he wrote — and partly to make the case for a larger Pentagon role in cyberdefense.

A big efforts by the military at cyberdefense have been drawn under a single organization, the U.S. Cyber Command, which began operations in late May at Fort Meade, Maryland, under a four-star general, Keith B. Alexander.

But under proposed legislation, the Department of Homeland Security would take the leading role in the defense of civilian systems.

Though the Cyber Command has greater capabilities, the military operates within the United States only if ordered to do so by the president.

Another concern is whether the government, or Pentagon in general, has the nimbleness for such work. Mr. Lynn acknowledged that “it takes the Pentagon 81 months to make a new computer system operational after it is first funded.” By contrast, he noted, “the iPhone was developed in 24 months.”