Anyone who works in IT security or has ever worked the helldesk, oops I mean, helpdesk, knows that users don't choose good passwords. That's why we have these lovely complex password policies that the average user hates (must have at least 8 characters, and must contain a capital letter, a lower case letter, a number and a special character). The recent MySpace phishing episode shows just how bad the average users' passwords can be.
Users tend to use things that they won't foget, a few examples:
- Their name
- Their username
- Words in the dictionary
- Kid's name
- Spouse's name
- Pet's name
- Sequences of keys on the keyboard like "qwe" or "asdf"
The Dilbert comic strips for the past 2 days have been very spot on with "Dogbert's Password Recovery Service". Take a look at them here and here.
This article by Bruce Schneier is a good overview of secure passwords.