@adrian – Putting a maximum limit on a pasword is not stupid, putting a vey small one is, but putting some sort of maximum on is sensible.

As for making users use different characters, tough, users are the first to complain if their account gets hacked, but then when a users use “1234″ or “password” for their accoutn what do they expect, unfortuantely some users need to be saved from their own stupidty.

Yes a 6 letter (a-z) password is less secure than than a 6 letter (a-zA-Z0-9) password, but not as strong as a 10+ letter (a-z) one.

I’m personally just waiting for more sites to start asking for passphrases so that they become common enough that users understand them and don’t get confused.

that’s good advice only if you are providing generic, personal, “harmless” services to your customers, like blogs and picture albums. Stuff that don’t impact revenue. Services that demand security need a stronger password policy.