This post over at Slashdot references some items written by Robert Hensing of the Microsoft PSS Security team. According to the post, Hensing suggest "passphrases" -- sentences and quotes that are easy to remember, but exceed 30-40 characters in length.
It's certainly an interesting idea considering how companies require employees to frequently change passwords. If your company requires you to frequently change your password and not use any of the 10 passwords previously used, do you just modify your password each time with a letter or number rather than coming up with a new one? If you don't do that, I bet your password is written down somewhere in your office.
I'm certainly not a hacker, but I wonder how long it would take to brute-force a password in excess of 30-40 characters.