@purehate_ replied with a link to a blog post from @d3ad0ne_ called "Does password padding make your passwords more secure?", which I guess directly relates to the podcast from @sggrc and Haystack.
@quelrods (James Nobis) has also written his opinion on Haystack, as his very first blog post! (woohoo!)
There's probably no point in writing much more; I'll agree with purehate_, d3ad0ne_ and quelrods. Padding your password to lower the chances of crackers breaking it is not the best of ideas, as with probably ... oh.. a LOT of similar suggestions.
Lets talk a little psychology and security awareness instead.
I think we - as humans - are better at remembering positive things than the negative ones. Sure, there are some events way back there in your brain that won't go away anytime soon, but for most parts I think we're better at the positive things. I can still remember what color and type of clothes my wife was wearing the very first time I saw her. Black trousers, black shoes, red sweater, oval green sign with "Smash" written in white. (she worked at a clothing store at the time). Could that sentence be my password^H^H^H^Hphrase? I'd love to see somebody crack that, with no prior knowledge of either password policy restrictions or my preferred choices of passwords.
Obtaining a written password policy, as well as the various technical implementations, is "piece of cake". It's easy. It is so easy that calling it "social engineering" is.. well... an overstatement.
On the other hand, you really don't need to talk to many users before they will curse you from here to anywhere, when you ask them about password policies and password construction schemes. Try your mother, probably a good place to start.
See; there are way too many security people out there trying to teach people advanced password construction schemes in order to create - AND REMEMBER - advanced passwords. Suddenly the poor end-users must not only try to remember their password, but the construction rules instead. It just doesn't work in most cases - at least not in the scenarios I've tried out. (I have to admit this sure is something I'm going to dig deeper into, along with psychologists and other people studying human behavior etc).
That's why I've been telling my mom - and others - to write a sentence in normal language as their password. Hey, it's summertime, barbeque and margueritas, here we come! Positive sentence, shouldn't be that hard to remember.
Drop 99% of your written password policy and construction guidelines. It's pretty useless. People are just not interested. Breaks my securityheart, but not much to do about that. Tell them to use sentences. Positive ones. Deploy electrical treatment to all programmers and sysadmins who refuses to implement UTF-8 length 255 password support.
A large part of the problem is on our side. The security folks, the sysadmins, helpdesk who mess up everything, the haystacks of old and ridiculous policies stowed away in something called "QMS".
Stop blaming the end-user every time something goes kaboom. To you they keep you with a job. Don't fight them, help them!
And that's it from the happy-shiny-people's department today.