The otherday I watched episode 303 of Security Now and Steve has a very interesting take on passwords. Essentially assuming we don't have a dictonary word then it's all about using as many different types of characters as possible. Yes length still matters but entropy (randomness) doesn't. By not having an easily guessed password you're forcing an attacker to do a brute force attack and by having as many different types of characters as possible you're increasing the number of passwords they have to guess. Steve's put a page up on his website to demonstrate this point - www.grc.com/haystack.htm.