>>(don't miss the mouseover)
I didn't miss the mouseover! Agree re the character substitution- but randomly mixing case and symbols mathematically ramps up safety substantially at the cost of difficulty remembering the password. However, IMHO there's another human phenomenon at play: in real life few people remember multiple passwords. Generally they reuse or rely on a repository to remember the passwords for them. It's reasonably safe to have a paranoid master password for Firefox and Thunderbird after which you don't need to remember the individual site passwords that can be as random as possible. Also possible on phones, but AFAICS a lot of people carry heaps of sensitive stuff on their phones protected only by a simple pin if at all...
"... They ne'er cared for us
yet: suffer us to famish, and their store-houses
crammed with grain; make edicts for usury, to
support usurers; repeal daily any wholesome act
established against the rich, and provide more
piercing statutes daily, to chain up and restrain
the poor. If the wars eat us not up, they will; and
there's all the love they bear us."
-- Shakespeare: Coriolanus, Act 1, scene 1