Re: the human factor
I agree that people generally try to use really easily memorised passwords - and that has always been one of the problems with passwords. Another is that administrators have little real control over the strength of a password a user elects to use. Sure you can set up systems that insist on mixtures of characters, and you can also ban "dictionary" words, but you have little control over users who insist on having a password which say relates to them in some way that a hacker might guess, but the user has simply "disguised" it with 3s instead of Es etc. However the great advantage of a system like PinPlus (pin+) is that it can to a great extent police itself (you can set it to ban things like straight lines - which would prevent someone just choosing the top line) and it can guide the user to set up something really strong, yet easily remembered - because it's a brain-friendly shape or pattern.