> But what you imply, that PGP (and other programs that request passwords
> and passphrases from the user) should be more picky in what it accepts, is
> an excellent idea. Of course, it's impossible to force the user to choose
> a good passphrase, but requiring no fewer than, say, 12 characters that
> look 'random' (upper, lower, digits, and punctuation), or no fewer than 30
> characters that look 'regular' (English text) would not be a bad idea.
In principle, that's not a bad idea. In practice, it's very hard to make
something foolproof because fools are so damned clever and persistent.
In other words, people *aggressively* pick bad passphrases.
