ZD Net UK has an article that examines the relative strength of passwords that people are using today. The fact that they they used a phishing scam and that they only targeted MySpace users to obtain the information aside, they say they found that 81% of passwords contained both letters and numbers, and only 3.8% were words that are found in a dictionary.
As good as that sounds, I would bet that if you looked at all passwords from a particular person, you would find that they used the same one for as many sites as possible. That is not real secure, but with any one person having the possibility of dozens of sites/services that require a password you can’t really blame them.
I would bet that most people are mixing characters and numbers in their passwords for a very simple reason that has nothing to do with security – they made a password that met the security guidelines enforced by a particular site, and then just used the same one for all other services. The upside – passwords in general are tougher to break. On the downside – if someone happens to get one of your passwords, they could likely get into a decent number of your accounts. The bottom line is that passwords are a primitive means of security and just becoming more and more unwieldy. We really need a new system. Biometrics would seem to be the obvious choice.