New analysis reveals basic regulatory password requirements fall far short of providing protection from compromise.