We currently have the almost defacto standard of requiring complex passwords on our Windows AD domain. But this XKCD cartoon caught my eye a few months ago when it came up on Coding Horror (I think):
Has anyone changed their password policy like this, i.e. require a long phrase as opposed to a shorter one with non-alpha characters? If so, have you had any problems with audits by 3rd parties? We often get audited by our pharma clients and I'm not sure they'd buy into this.
It makes a lot of sense to me though - especially when one discovers passwords written down because they cannot be remembered.