Back a few years ago, I was setting up some web apps for a friend and needed his password..
“Oh, try my non-sensitive password: ‘basketball'”
Sure enough, ‘basketball’ got me in.
That exchange was a reminder that there are different degrees of security and different comfort levels of risk associated with each of those degrees.
One persons’ ‘basketball’ is another’s ‘vaj/YfS35S)*’
This difference even exists between the service provider and the person using the service – as J Wynia describes.
Computers are really good at generating random, unguessable strings, people aren’t.
If a service has any character requirements on a password, that service should – upon request – generate passwords fulfilling those requirements. Otherwise, take what the people want to use as their password.