Check out this
post from Schneier on Security:

How good are the passwords people are choosing to protect their
computers and online accounts?

It’s a hard question to answer because data is scarce. But recently, a
colleague sent me some spoils from a MySpace phishing attack: 34,000
actual user names and passwords.

(read the whole thing here: Real-World
Passwords)

My password philosophy goes like this. I have a standard one that I use
for the majority of sites where I don’t care at all if someone gets into
it. Then I have a series of 4, progressively more obscure ones that I
use on how important access control is, with the most impossible to
guess one on my financial accounts.

Reading this makes me wonder if I am not taking this far enough…