Earlier today I was reading on the Huckleberries blog at the Spokesman Review website, a blog about password security and just how BAD some people's passwords are. http://www.spokesman.com/blogs/hbo/2011/nov/23/worst-computer-passwords-...
Bad passwords are a pet peeve of mine. An 8-character mixed-case password using letters, numbers, and symbols can be "guessed" by a reasonably fast computer within a day. About 3 hours according to howsecureismypassword.net. If you tell that computer to focus first on these common, unsecure passwords, then focus on dictionary words with c0mm0n r3pl4c3m3nts, that process will go much faster.
My secure passwords used to be variations on pop characters I like, but would be difficult for other people to guess without knowing me. For example, a password might have been C4lv1n&H0bb3s. That is actually a relatively secure password. Those aren't common dictionary words, it uses numbers and mixed case letters (even though the numbers are common replacements), and it uses symbols. It is also 13 characters long, which would take quite a while for a random-guess computer algorithm to find. It's main flaw is that if someone knew me personally, he or she would be able to have a reasonable guess as to which characters I might use, and could guess the replacement pattern pretty easily.
A lot of password misuse is from people we know, unfortunately. Just like identity theft.
With current password rules for many applications we've actually decreased security by suggesting using a string of random numbers and characters that are easy for a computer to guess, but difficult for us to remember. So many people default to these easy popular passwords, or choose ones that are easy for people we know to guess.
