From Ars Technica;
"The latest confirmation of that comes with some pretty significant numbers behind it: 32 million, to be exact. That's how many passwords were obtained in a recent hack of the RockYou service. The hacker left a file with all the passwords on a public site, and security firm iMPERVA has now analyzed them. The numbers aren't pretty: about a third are less than six characters, and half are vulnerable to dictionary attacks. The most common password was 123456, and it was followed by 12345, 123456789, and Password."
So now you know how to become a successful hacker. It's worth pointing out that generally speaking your average website professional wouldn't be caught dead storing passwords in plain text anymore, which tends to mean that you don't come across amusing examples of terrible passwords, but from the prehistory of the 1990s doing some dbadmin on systems involved with login gave the following gems;
So without further ado, how to create passwords.
Rule 1) ignore length. Length doesn't mean much unless someones determined to run brute force attacks, and usually you can get better results from lower hanging fruit.
Rule 2) Don't use single words. Take a leaf from AOLs old technique and intersect words in new and exciting ways. 'Juggaliciouscarnivore' isn't going to be dictionary attacked and is quite memorable if you like Dinosaurs with breasts.
Rule 3) Mix stuff up with punctuation and numbers. Variety is the spice of life.
Rule 4) Avoid birthdays, schools, friends names, pet names, wife's names and anything else connected to you.
Rule 5) Don't use the same password everywhere. Nothing will fuck you up more than the day that there's a database leak and someone gets your email account. Generally the email account is the touchstone for all other security.