There's slashdot conversation taking place about using and enforcing cryptographically strong passwords (it's all about passphrases, people, passphrases - read my experiences here). In that thread, someone linked to an old and quite perfect social engineering example that I had not seen in a while. In my field I see and hear some of the funniest (or rather scariest) stories about situations like this.

From an IRC chatroom:

hey, if you type in your pw, it will show as stars
********* see!
hunter2
doesnt look like stars to me

thats what I see
oh, really?
Absolutely
you can go hunter2 my hunter2-ing hunter2
haha, does that look funny to you?
lol, yes. See, when YOU type hunter2, it shows to us as *******
thats neat, I didnt know IRC did that
yep, no matter how many times you type hunter2, it will show to us as *******
awesome!
wait, how do you know my pw?
er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
oh, ok.

Pretty darn funny - unless it's you.

Of course, much of the /. conversation has evolved into the requisite noise and talk about how the original question is a moot point because passwords are dead, etc etc etc blah blah blah shashdotadnauseum...

And, since we need something useful to go with the something-funny/scary, here's some information worth reading about how to make it possible for users to remember and use cryptographically strong authentication without having to resort to post-it's and .txt files on the computer:

The Great Debate: Pass Phrases vs. Passwords

Part One* - covers the fundamentals of passwords and pass phrases, how they are stored, and so on *
Part Two* - discusses the relative strength of each type of password, and use some mathematical approaches for illustration *
Part Three* - offers some conclusions and guidance on how to choose passwords and configure a password policy*