One of my older passwords for important stuff was an Office 2000 key I learned by heart. 25 characters, letters mixed with numbers, not including dashes. If special characters were required, then I'd use dashes, otherwise not.
Save for VL keys, they were unique so the chances of someone guessing that were very, very slim.
And just for kicks I wrote a password manager which allowed you to use any key on the keyboard, including ctrl, shift, alt, caps lock, Win key, you name it. How about using ctrl, shift+num*, backspace, backspace, F1, Esc, Scroll Lock, Winkey as a password? :)
(the only problem was that if you fatfingered a key you would have to wait for the 10 second cool off and try again when prompted)
The application could also be configured to give you a "wrong password" result if you entered the right password, with a configurable delay during which you were expected to do nothing to go through. There was no visual feedback when pressing the keys, only sound.
But a regular user would be driven mad by such a login method, heh-heh.
There are many ways to make an environment secure password-wise. But Average Joe wants it quick and easy, so as long as people aren't educated, nothing would really be secure enough.