Trusted hackers from information security firm Trustwave ran thousands of tests on American systems over the past 2 years.

In fact the conclusion of the 2 year penetration test period was that they cracked over 600 thousand passwords.

"We eventually cracked 576,533 or almost 92 percent of the sample within a period of 31 days," Sigler said. in an article from the Register

Passwords peaked at eight characters in keeping with business policies. The most common were Password1 with 2984 results, Hello123 with 2587, password with 2458 and welcome1 with 1697, the study found.

"Despite the best efforts of IT administrators, users find methods to meet complexity requirements while still creating weak passwords," Sigler said, noting that Active Directory's password requirements permitted 'Password1'.

Sigler reiterated warnings that mixed non-phonetic passwords riddled with special characters and numbers were no more secure than memorable phrases of the same length, provided those passwords were not common, cliche or easy to guess. via: Who needs hackers? 'Password1' opens a third of all biz doors

In our experience the best way to setup a password is to use a phrase instead. For example:  Think of a favourite song, then take the first letter from each word in the song.  You can further 'complexify' it by swapping 'A's for '4's and 'E's for '3'.  Choose a lengthly phrase so that you get to at least 8 characters and you'll end up with something thats is much harder to crack because it won't follow any common password list rule.