Only way I see it’s possible to sort this problem is when people decide to live right and we won’t need passwords.
Like Einstein said: Problem cannot be solved from this same level of consciousness it was created from.
I now understand what he was talking about.
We fight with reflection in a mirror and try to protect ourselves from our own shadows.
I got tipped of about your article having written something similarly myself, where instead of encouraging my users to use characters, I encourage them to use sentences. Since the vocabulary of the English language alone is roughly 150,000 words, before we start adding slang words, other languages (I am a Norwegian myself), and the fact that most people can create some simple phrases in a whole range of different languages, such as Spanish (Hasta la vista), Arabic (Allahu akbar), Yoda speak (The force in you, truly is strong my son),etc, etc, etc - I concluded with that increasing it even further, to 25 characters, while encouraging my users to use complete sentences would probably result in even larger entropy.
If you’d like to read my ramblings, feel free to check it out here …
Now of course, the idea is that even a sentence with an astonishingly high amount of entropy, is still dead simple for the user to remember, without having to write it down. While at the same time, the statistical probability of that he’ll need to reuse passwords, becomes significantly reduced - At least passwords he has used previously, since these would historically for the most parts have been consisting of 8-10 character passwords.
In addition, creating a unique password for each service, would be easy since the user could use his own personal associations, such as for your site I could have chosen; “Holy mother of blip, I am so deadly scared now, that my hair stands straight up into the air” …
All in all, significantly increasing the entropy, literally exploding it in size, while still making sure that the human brain is easily capable of remembering the actual password. This would also encourage users to make sure they use the “Remember me” checkbox when logging in, resulting in sending the password over the wire fewer times, arguably further increasing its security …
do you think it’s possible that you may be addressing the wrong audience?
I mean most of the reason that dumb password rules exist in the wild is because the software behind the password box allowed for the dumb rules to be defined… If the developers who wrote the rule definition software didn’t allow for dumb rules to be created in the first place, then the rule enforcers would be forced to come up with better rules.
For Example:
(?i)^[a-z0-9+/]{22,43}={0,3}$(?i)^[a-z0-9!#$%&()*+;-<=>?@^_`{|}~]{20,40}$
built in password shaming may be a nice feature as well:
short password -> “My cell phone could randomly guess your password in x seconds”
password in a dictionary -> “I just used a thesaurus to guess your password in 0.00x seconds”
whoa, for the record ‘correct horse battery staple’ is not a human generated phrase it’s randomly generated by rolling dice and looking up words in a list big enough to be secure. Then taking what you rolled and writing a story to help you remember the random sample. (Unfortunately with Diceware’s word list though you need 20 words to get 258.496… bits of randomness)
Not only it the rule is bullshit. It also bullshit if you can not put the password in your brain. When you cannot remember it, you will have to write it down, or save it some where. That is the catch isn’t it!
For example, Bitlocker - I can never able to remember the 48 digit number, so I have to write it down, and bring it with me. So if I lost my laptop, I probably also lost my written keys carry with me at the same time. You don’t have to proof if Bitlocker have a back door or not. The back door is on you/user!!
Keyboard patterns in passwords
Ok, some really good points here but I’m not James Bond. I’m old, tired, and boring. Why do I need a password at all to open up my phone voicemail and other similar low key apps? I don’t have a secret Life to hide, I don’t care if my wife checks anything for me, is all this really necessary? I get the point for banking and the like but where does it end? Will I need a password to get the toaster to work or a chip in my finger for the toilet to flush? My friends claim Big Brother is watching and listening to me through the TV too, poor bastard, hope he’s got some strong coffee.
You are so right!
I also hope that you did not use any “bullshit” algorithms either, like AES or SHA, those get attacked all the time!
Way better to make your own algo! I like “double XOR” for super protection!
Ever thought that your bank may leave a voicemail?
Mostly you need to protect your email (because it is the defacto skeleton key for “forgot password” everywhere), and bank related online accounts.
That is, unless you just hate having money, and would like to assist others in removing said money from your posession so you don’t have to be bothered by alllll that pesky cash 
What would be the backup plan for someone whose phone ran out of juice before the “ping” arrived?
Why are we try to make our password so so “secure” where your data still can be read from the company that storage it and can be access without any of your password?
Currently, I see that password is virtually useless by the way it been used and the system been designed. It only help prevent a “point-to-point” attack. But most large scale attack are from within the company who storage your data.
Before make your password beautiful, we need a better design system first. For example:
Google,Hotmail,Yahoo mail should encrypt your email with your password but not storing any of your password in any form in their system. Then no one can read your email except person known your password. If the new email come into the system, the company may not able to encrypt it under your password too. But at soon you login with your password, it start encrypt under your PW. So if any one in google like to obtain your email content, they have to contact you for permission. As soon you permitted, the content decrypted, and encrypted the copy with the company own password.
This way, once can implement another layer of security like block chain to trace the transaction so that if you want to claim your data been stolen, you can trace it down to the original person/company how take your data and share to other that not under your original contract of giving out your data.
You can trace the chain of decryption and encryption. Which are where data been transfer or shared to other. Then it is a truly DNA of sharing with caring. And person who share your data now have to take much more responsible on their hand under the protection of law and tractability block chain.
Another example are: Medical data should only access able by you. Then you permit your doctor to use your data for other research by him ask you the transaction, then you supply your password to decrypt, doctor supply his for encrypt. Then he now has responsibility share the right persons/org. And they can be traceable. Now you can sue the doctor if he abused your data.
Nobody has mentioned this yet that I can see.
How about requiring an action in addition to a password?
I can’t remember the show, but there was one episode where they knew it was a hacker or an unauthorized party who had access to an account because the real owner ALWAYS input three wrong passwords, and only THEN the correct one.
So, do two completely different passwords, separated by a WRONG password that differs in a way that’s part of a set of possible allowed differences (which unlike the password itself are user-defined, say, with regex to internally match the differences to the rule(s) the user has set), THEN the correct one. Or something.
“Something you know, something you have, and something you are” isn’t enough. “Something you are” is horrible; you can’t change your fingerprints or iris patterns! How about something you DO at login time? Maybe a mouse motion pattern in addition to the correct password? Or a voice entry portion that matches to your voiceprint?
It’s good enough for Google; they added 2FA and saw excellent results. So this would be “something you know” (password) and “something you have” (security key).
You nailed it! big time bullshit!
Let’s see… top 20 before
123456123456789qwerty1234567811111112345678901234567password123123987654321qwertyuiopmynoob 123321
66666618atcskd2w77777771q2w3e4r6543215555553rjs1la7qegoogleTop 20 passwords “leaked on the darknet”
123456123456789QwertyPassword12345123456781111111234567123123Qwerty1231q2w3e1234567890DEFAULT0Abc123654321123321QwertyuiopIloveyou666666The more things change, the more they stay the same?
There’s even one more unmentioned rule, which is one of the worst: password expiration. It forces people to come up with new passwords, say, every three months. That increases the probability of creating weak, easy to remember passwords. It doesn’t add anything to security. The reasoning is, that if your password has been guessed or hacked, changing it would restore security. That is nonsense. If a password can be guessed, it’s a bad password and the user will probably replace it with another bad password which will also be guessed soon. If it has been hacked because of a security leak in the system, changing the password won’t help if the leak isn’t fixed.
Mandatory password expiration only annoys users, but doesn’t contribute to security.
Banks are notorious for that. And worst of all is if you’re exhausted but want to check your account quickly just before going to bed. 
I once can made a great password …. Now keep changing it bring me to the point request for resetting password every time need to login. So what I is it tech actual ease my life now. May be hacker can just reset my password too once they gain the 1st access. no need to know password
Also, some one could just mess other person and force them reset password by keep login their account too many time and got lock out
I so so cannot stand EVERYTHING you’ve written above! If I wanna use a 40 characters password with whatever symbols, I wanna use I should be able to. Your example is so true & frustrating