An old article, but still a good one, by Jakob Nielson (formerly at Sun, now at his own company).  I strongly agree with his points, particularly: "passwords that comply with the above list of "security-enhancing" principles lead to one outcome: Users write down their passwords."