Interesting question, Jim. There's more to it than meets the eye.
For example, some users don't understand what's wrong with using their wedding date as a password. Afterall, if they have a hard time remembering their anniversaries, what are the chances a hacker will be able to figure it out?
A hacker won't have any trouble. A hacker will simply try every mm/dd/yy combination to crack those passwords (before trying every possible combination of numbers, letters and symbols to crack any password).
Similarly, Jim's concept of what a hacker can do is dangerously limited. Jim is assuming that the hacker is outside the network wall, looking at the secure sign-in dialog box.
Unfortunately, there are lots of "holes" in most network walls. And it is not uncommon for hackers to gain access to files containing thousands and thousands of usernames and encrypted passwords controlling access to the networks and systems of banks, merchants, websites, etc.
Your system administrators are some of the biggest violators their organizations' password policies. Administrative passwords are often easy to crack or discover via "social" means.
It is not unreasonable to imagine a disgruntled employee gaining administrative access to his/her company's systems and copying a file of usernames and encrypted passwords. That person can then misuse the information or release it to others to misuse it.
Given that people often use the same username and password combination for many online accounts, imagine that somebody steals the file of usernames and encrypted passwords at a website where you got something once. They crack the passwords, then go to all the major banks and see which username and password combinations open accounts at each bank. If they hit your bank with your stolen username and password, would they get access to your bank account? I'd say yes, unless you can tell me otherwise.
Here's a link to a clear and concise Users Guide to Password Security: http://comm.ncifcrf.gov/security/password.html. It provides a good explanation of the issues and risks. It also endorses certain practices for password security that would greatly improve online security.
But, I am afraid that these practices are too complicated for most users and most situations.
There is a "missing link" needed to enable these practices for ordinary users. It is a class of products to generate, store and properly present unique, secure passwords at each place a user has accounts.
Like a wallet or keychain, it is a product that people could use to keep their valuable account information safe and handy. It could be a piece of software residing on a user's PC or PDA; (see http://www.download.com/3120-20_4-0.html?tg=dl-20&qt=password%20wallet&tag=srch). It could be a database stored on an "ID provider's" secure website in cyberspace (see http://en.wikipedia.org/wiki/OpenID), or it could be an encrypted USB thumb drive a user carries everywhere they go (see http://en.wikipedia.org/wiki/TrueCrypt).
Until you start following recommended password security practices, your online information and accounts at banks, merchants and websites really are vulnerable to hackers. Your privacy could be compromised. Your identity and/or your money could be stolen.
If you are a senior executive in your organization, here's a service you can do for your company and your community. Implement this policy that they have at the National Cancer Institute/Ft. Detrick:
"In order to keep up security on our systems, we run a program called Crack on your password. We figure that if we can find out your password, so could an Evil Cracker. If we discover your password that way, we'll freeze your account to keep anyone else from abusing your account. You will be notified that you have to change your password to a more secure password. He/She will make sure you understand everything discussed in this write-up before unfreezing your account."