My problem is this: too many sites don't even publish their password policies, so I can't even begin to tell what is an acceptable password. I may go to the trouble to use mixed case, only to find out that their password is case-insensitive. Or they may accept a long password but silently truncate it. Or they may not accept special characters, but "tell" me only with an error message when I try one. Or sites that turn right around and *send* me my new password so I won't forget it (again, without telling me ahead of time). Or this beaut from Verizon Wireless: to enter your billing password (a secondary password that you can't change if you forget even if you know your primary password there), if you have to on your phone, you convert its mixed-case letters via the phone's keys. The prompt (long after you've created your password) says that the password "abc2" is the same as "2222". In essence, they reduce everything to digits.
This is a completely new twist on "security by obscurity". Your password is defined under double secret probation.
At least most sites are now accepting greater than 8 characters. But even that took years.