Longer passwords are not necessarily more secure - in my experience - and I do IT security for a living!

If someone has a keylogger on there machine is just one example of reasons for this. This is why the banks and other websites use the letter x of password (and why Barclays etc use drop downs). Keyloggers are more common than you are probably aware (we get > 200 trying to install daily according to our AV logs). Users without AV in many cases have them. I would never consider using a PC now owned by me for Internet banking for exactly this reason.

Also its proven (don’t ask me to point out the research) - that longer passwords lead to users writing the password down.

The true solution is hardware tokens which banks such as Barclays already use. But these are of course more of a pain to use.

I agree though that a system only accepting 8 characters when you want to enter more, is plain silly.

My question is why can’t websites/banks/etc work via username, pin and fingerprint say - or other biometric. Wouldn’t that be simpler?

Hmm, maybe I’m self contradicting when I say have longer passwords but keep things simple! 8 does seem a bit short though and a whole word is easier to emember than half a one…
As for key loggers I guess they would have to see me log in with 3 digits a couple of times before they got all 4 digits of my PIN. I was going to sugest a blue tooth imobaliser type h/w device but I guess blue tooth & secure don’t go together too well!
Could a key logger not also capture the biometic data? Most fingerprint scanners are USB aren’t they?