This is an interesting article: the premise is that a password should be something that is individualized, but not conscious:
In tests of the picture version, users went through a two-step process to get a set of user certificates, or unconscious passwords. Users were first shown a set of 100 to 200 pictures randomly selected from a database of 20,000 pictures. Pictures were organized in groups of 2 to 9 pictures with a common theme, and each user was certified on one picture from a given theme group. The user then practiced choosing certificate images from entire theme groups.
Later, in lieu of passwords, users identified most of a short series of certificate images. To guard against eavesdropping, each certificate picture is only used once, and the user retrains when they run low.
Subjects were able to recognize previously seen pictures with better than 90 percent accuracy for up to three months. According to the researchers' calculations, the chances that a user who guesses correctly four times in a row is an imposter is less than 1,000th of one percent.