It is generally accepted that a strong password is better than a weak password, where strength is a function of password length, complexity, and unpredictability. A well educated user should be able to easily create secure passwords. To try to ensure users select suitably strong passwords many ICT systems force users to create passwords with a minimum length. They often also try to ensure a level of complexity by requiring users to include capital letters, numbers and symbols.
However, most people have numerous of passwords to remember for home and work, so it shouldn’t be a surprise to learn that many people re-use passwords or write them down. And when users are forced to regularly change passwords, a significant number make minimal changes – Passw0rd01 to Passw0rd02 for example.
The National Cyber Security Centre has published useful guidance on ‘Helping end users to manage their passwords’