Mark Burnett disects the TSA’s password policy and recommends this one instead:

So what would I use as the ultimate password policy? If I was ever in the position to set an organization’s policy, and it required a much higher than normal security, it would be this:

• Minimum password length is 15 characters but can contain anything you want including spaces.
• Your new password shouldn’t look too much like your last one.
• Don’t reuse this same password anywhere else.

Then, I would provide a short list of example passwords to spark their creativity such as this:

• www.craving-tacos.mx
• whitefish44.JPG
• C:program filesgreen
• 1-800-orange piano

Link: Worst Password Policy Ever? « Xato via xato.net