random character strings aren't really all that hard to remember, so long as you don't have to change it every month. The problem is that people won't choose random passwords on their own, and if you have someone (or something) assign the password then it's not something only the user knows.<p>I think one of the things that pisses me off the most are challenge-response systems that only let you pick from 7-8 different questions. One of the sites I use a lot just started requiring you to answer your security questions every single time you log in (or at least once per month, which is how often I use the site). And there is no way to fill out your own questions, and several of them would clearly only apply to subsets of people. (Married people, people with pets, etc). <p>The best security questions, in my experience, are the ones I fill out myself. I could, for example, use a pattern of always answering the question wrong in the same way. "What was the name of your first crush?" Your answer is her favorite band. When you can't choose the question, that sort of thing gets a lot harder to do.
Completely off topic, but can we all stop using the word "humans" to make ourselves sound objective and scientific? Unless it's part of a comparison with other species, the word is "people."
i think that passphrases are a good start, however as the article suggests some websites are to fault. My bank, until it updated it's system recently, didn't allow for special characters in passwords.