What about not having a password at all?
The user who wants to log in, request a login link to their email. And can click it within set amount of time.
Then the user only have to know the email-password. And that could be used to get a new password anyways.
Lots of sites I only visit once a year I need a new password to each time. And it would save me the trouble of making something up each time, and not remembering it anyways.
And if I would try to remember it, it would likely be a password I use on another site. Which would be bad.
I think you just invented OpenID. Better, because more people have email addresses than OpenID providers, and because it piggybacks on existing infrastructure. Worse, because you don't auto-redirect past the login page.
Then the user only have to know the email-password. And that could be used to get a new password anyways.
Lots of sites I only visit once a year I need a new password to each time. And it would save me the trouble of making something up each time, and not remembering it anyways. And if I would try to remember it, it would likely be a password I use on another site. Which would be bad.