While the author has a point when users reuse their password for many accounts, he ignores the time required to test a password when using bruteforce attacks. The rant on banking passwords with strongly limiting constrains may be (is?) balanced by the time to test each password. The password could be reduced to a few numbers if it is assigned randomly by the bank and can't be changed by the user, and if something like a paying phone call is required to reset the password after three failed attemps. Make the password a serie of logos to click in a specific ordre and displayed randomly, and keyloggers become history.