The comments on this blog post make me cringe. Is there a correlation between Schneier followers and self-professed experts? Consider the clever fellow who has "logically" concluded that consistent password rules would constitute "putting all your eggs in one basket" and hence weaken security. Folks: a limited character set isn't a liability if you can just increase the number of characters correspondingly. If you're allowed a 64 character password, you can reduce the character set to [0-9A-F] and still have 2^256 possibilities.