OMG, you're not kidding. People suck at remembering passwords.
Here are the 25 most common passwords of 2012, along with the change in rank from last year. From a CBS site. You'll find similar lists all over the place.
1. password (Unchanged)
2, 123456 (Unchanged)
3. 12345678 (Unchanged)
4. abc123 (Up 1)
5. qwerty (Down 1)
6. monkey (Unchanged)
7. letmein (Up 1)
8. dragon (Up 2)
9. 111111 (Up 3)
10. baseball (Up 1)
11. iloveyou (Up 2)
12. trustno1 (Down 3)
13. 1234567 (Down 6)
14. sunshine (Up 1)
15. master (Down 1)
16. 123123 (Up 4)
17. welcome (New)
18. shadow (Up 1)
19. ashley (Down 3)
20. football (Up 5)
21. jesus (New)
22. michael (Up 2)
23. ninja (New)
24. mustang (New)
25. password1 (New)
Of course, in a corporate environment, it's hardly the user's fault. How the hell are you supposed to remember a 30 character password that has UPPERS lowers and specials in it, that you can't mistype 3 times in a row without locking your account out if the morons in the "security" group make you change it every 60 days?
A 30 char passwd is actually pretty decent, and would take a while for even the feral government to crack. However, noone is going to be able to learn a 30 char passwd easily. You'd be surprised how easy it gets to enter a really strong password if you enter it a couple of times a day for 6 months.
Always ask our security guys if they want good passwords or just want to pass an audit. The answer should be obvious given what has come to be standard policies.
Because the NetSec weenies force us to use sucky passwords that we must remember, even those of us who take care to craft awesome passwords for our personal data, we generally don't go beyond the minimum requirements necessary for the passwd to pass muster. Also, because of the rules they put in place, even those of us who actually care about things like password security will use a method of gnerating them that is reproducable so that we won't easily screw ourselves over because of a forgotten password.
Passwords suck, but it's not entirely our fault they suck. Though anyone using any of those top 25 passwords above needs to be shot, hanged, and then left to rot in the Texas sun for a month or two.
*shrug* I have a different password for each account/website.
Any length password protected windows 7 box can be opened in about 30 mins if you have physical access.