xkcd.org has done it again:

(click to enlarge)

It’s a theoretical security risk to use short password because there are many counter measures someone can enabled to thwart remote cracking attempt. What’s more of a real risk to some organization is having a limit on the length of their passwords while enabling remote access to their systems using only the weak credentials and for counter measure against denial of service attack they don’t lock account after a small number of failed login attempt. For all 3 of you concerned : short complex password without proper counter measures are history. I think you should go fix your system’s. Now!