Comment I'll Bite (Score 1) 549
1) Choosing a password should be something you do very infrequently.
No. Passwords need to be rotated for all kinds of reasons. It results in the account being effectively disabled when account policies fail (forgotten service accounts etc). It ensures that if the password store has leaked and its not discovered strong passwords remain safe (can't be cracked in the rotation time) and that access to accounts with weak passwords is at least detected at some point. Passwords should be used uniquely person/organization for the most part, finer grains in some cases; most people form relationships with organizations frequently. So password selection actually occurs very often and should.
2) Our focus should be on protecting passwords against informed statistical attacks and not brute-force attacks.
Most "brute force" attacks are informed and statistical the offline ones anyway; you try to get the low hanging fruit first (birthdays, names, dictionary words and usual substitutions) before you do the exhaustive search of the key space. In online attacks where the attacker is throttled this has greater impact but a password that is strong against offline attack is also strong against online attack so I don't see any reason to place emphasis here, other than to simple say the best passwords have the most entropy.
3) When you do have to choose a password, one of the most important selection criteria should be how many other people have also chosen that same password.
Ok I can agree with this one, but really implementation is hard, beyond the usual is it in a dictionary of common passwords (good systems already implement this), you should not be able to know if lots of other people are using that password because you are only storing salted hashes right and everyone gets their own salt right?
4) One of the most impactful things that we can do as a security community is to change password strength meters and disallow the use of common passwords."
No the most important thing we can do is try to move away from password only security and move toward two factor, which is more and feasible now that most people are carrying a cell phone that can at least get SMS messages.