Re: The real problem
a password has to be difficult to guess but easy to remember
This rules out (traditional) passwords, full stop. The asymmetry of effort between "guessing" and "remembering" is far too steep.
there's no password imaginable that can't be broken offline given time
That's trivially true for any finite sequence, so it's not a useful observation in itself. It's possible to make more productive observations about password or passphrase entropy versus contemporary cracking approaches under realistic economic assumptions and a plausible threat model; but generalizations like this are pointless.
There's also not much point in talking about passwords unless you're also going to consider passphrases.
For example, we might say something like: most people will find it non-trivial to come up with a passphrase that 1) has sufficient entropy to resist extant cracking engines, 2) also resists cracking by a hypothetical engine with access to large natural-language corpora and is able to do sufficiently-fast partial and close-match searches on it (to account for minor variation such as character substitution); and 3) can be reliably remembered by the user.
If we want to raise the stakes, we might also ask that it have enough entropy to resist BQP attacks (Shor's or variations thereof) for what we guess is an economically-feasible number of functional qubits given the value of the protected resource. (If an attacker is willing to dedicate 100 f-qubits to attacking the passphrase, you probably need at least 60 characters, if the passphrase is in English - but that's just a rough estimate.)
But even statements like those are just handwaving.
Angela Sasse at University College London did masses of very useful research into password effectiveness and usability
Indeed, including the classic 1999 CACM article "Users Are Not the Enemy" (with Anne Adams), which is a useful corrective for the Reg article we're responding to here. And Sasse has published on many other aspects of IT security. And so have many, many other researchers. And most software developers have studied little or none of this research. What else is new?
Developers and other IT practictioners, with their ignorance of relevant research, aren't the enemy either (tempting though it often is to blame them). There are reasons - economic and psychological1 - why the vast majority of IT practitioners don't follow relevant research. And why most researchers aren't practitioners. And why both are often disconnected from users.
There are ways to change those economics, such as regulation.They come at a cost, too. Maybe at some point we'll decide, as a society, that the cost of poor IT security justifies the cost of changing the economics of better software security.
1Which are really two aspects of the same thing, of course; that's why we have behavioral economics as a research field.