If pass phrases are inherently far more secure, why do we still prompt people to create and use a *password* and then make a big stink that they did *exactly that*? Just because they do that poorly we shouldn't hold that against them since the process itself doesn't do anything to help them do so better--it's actually at odds, whereas simply indicating the different process of selecting a pass *phrase* does.
Why not simply change the labels and validation (since when should a site ever *prohibit* any specific character from a pass phrase?!!) to say "pass phrase" to urge people in a better direction?
We have bone-headed developers that have "helpfully" sent out emails to every member of a site saying "to improve security we have stripped all non alpha-numerics from your password"... Huh????? a) that means you stored my pass phrase *in plain text* in your database, then b) you *shortened it*! and c) you reduced the available combinations and d) turned my pass phrase into a password.
We have *banks* adding "site lock" security--reducing the security of their websites and *lying* to their users telling them that a) it increases their security and b) *trust the site lock image to indicate that it's really the correct site* rather than educating them to check the *SSL cert*!
Perhaps we need an article similar to "what every developer needs to know about character encoding" but for "handling user credentials". It's obvious that it's not just users that don't get it--but many developers and businesses also.