Bruce Schneier is recommending mixed-case "first letter of each word in a sentence" (Floewias), with mixed-in numbers, rather than the usual word-plus-appendage approach.
The article also provides a good summary of why web applications, when not exposing XSS or other flaws, can be much harder to break into. There's no way, at least with my slow servers, that a program could make 900 guesses per second against my accounts.
Also, remote applications can tarpit or firewall chronic guessers, something desktop apps can't do.
By Chris Snyder on January 11, 2007 at 9:45am