Good idea, but the name pass phrase is already taken. That is the “password” for your ssh key, since the ssh key itself is the real password. The pass phrase just unlocks the password.
For the web, I use SuperGenPass. It’s a bookmarklet that generates a hash from the current domain+secret. Just click on the bookmarklet, enter your master password and never forget the “once visited” website’s password. http://labs.zarate.org/passwd_new/
Another interesting identification way are visual passwords like asking the user to draw a symbol. This domain is still new and needs more investigation. I didn’t find any implementation yet.
My friend gave me a neat approach to passwords. In setting up a web server for me, he used the first letter of each word in part of a song we wrote together. (I guarantee you’ve never heard it.)
Maybe you don’t know a song nobody else does, but you could pick some of your favorite song lyrics and get something like ehmhibaiaithog (every house must have its builder, and I awoke in the house of God). I imagine that would be pretty hard to guess, but still fairly easy to remember.
I am a proponent of long passwords but only recently. Most applications will not allow it in my experience - so you are exactly right.
For reference I checked my Writing Secure Code 2nd edition; Howard Lipner and note that Versions of Windows prior to Windows 2000 allowed 14-character passwords. Windows 2000 and later supports passwords up to 256 characters long.
So from a Windows world, one can guess where the habit of short passwords came from.
ss
How many websites have you seen that only support letters and numbers for passwords? Too many in my book.
My password for everything is orange 
What are your thoughts on this: http://www.safelogin.com
I’ve recently come across it and it looks promising.
How about the security dongles that randomly generate a 7-9 digit code every 5 minutes. The dongle relates to a server in real time and only the holder of the dongle would have access to the password. Even if you try to brute force it, 5 minutes go by and you start back at square one.
It is quite effective…until you lose your dongle. I have losing my dongle. 
*hate
There is no excuse to not at least allow pass-phrases. The password text box on a form should be set to the maximum length. Then of course since you’re not storing the password in plain text, you create a hash from your encryption algorithm of choice. This will create a fixed length digest of the password which will not create any length issues in the database you are storing this possibly very long pass-phrase.
Now the next point you make is a very good one. User education of the security benefits of pass-phrases would be the only other thing needed in your application.
As for biometric verification, I think if this ever became a commonly used verification technique, it would actually end up being LESS secure than passwords. I think at the moment, the only commercially viable biometric verification is fingerprint scanning. Now think about how you would leave the equivalent of a post-it note with your password on it with every object you touch throughout the day. If the use was ever widespread, the materials you would need to lift fingerprints would probably become widely available, thus allowing anyone to use your prints for accessing your sensitive information just by taking your coffee cup out of the trash.
“How many websites have you seen that only support letters and numbers for passwords? Too many in my book.”
Very true, though this is generally to prevent XSS or SQL injections. If you didn’t allow the keys ’ " = < and > then you’re potentially confusing users with what they can and cant have in their passwords, thus why some sites only allow alpha-numeric passwords
As for first work from a song or mnemonics, I quite like the idea and may start using them!
Very interesting post!