For no good reason at all, I changed a few of my on-line passwords, and suffered through synchronizing them on my various devices (desktops, laptop, Droid).
Then I happened upon The Password Meter (also served locally) which helped me see just how bad "password' is a bad password. (No, that's not my password.)
For example, the word "password" scores a meager 6%, or "very weak." Simple changes such as capitalizing the P jumps the score to 24%, and replacing the a with 4 makes it 50%. Tossing an exclamation point on the end increases the score to 66%. Making the password "B@d+P4ssword!" isn't such a bad password after all, with a score of 98%, or "very strong." "N@+P4s5w0rD!" is a 100% strong password, with no deductions. (And, it still is not my password.)
I'm not sure I entirely agree with their scoring system. For example, duplicate characters leads to obfuscated keys (think of the scene in National Treasure where they put lemon juice on a coin to later use a black light to see which keys were hit), but that's a deduction on their scorecard. And consecutive upper-case or lower-case characters or numbers shouldn't necessarily score low in small groups, whether repeated characters (such as "ss") or not.
The score application is a bit of JavaScript that runs as you type the password. It doesn't send the password anywhere, so it's safe to play with for your real passwords. And you can download it directly to put on your own server, in case you don't trust theirs (or mine); note that a couple graphics used on the page aren't in the archive, though, so that nice blue band at the top and its dangling buttons won't appear out of the box.
It also doesn't do any quick-style brute-force analysis to see if your slightly modified entry is potentially vulnerable to a dictionary attack. The simple "password" example above would be found in about three iterations of "try different cases" and "l33t sp34k" swaps.
I found this tidbit while I was looking for a plug-in password strength/validity indicator to add to a web page I'm working on, but I'm not sure I can use it for that as it fills in so much other stuff. It is GPLd, so I can mutate it, but that's not quite plug-in.
Thought I'd share.
None of it really matters if your password is so hard to remember that you write it on a post it note and stick it to your monitor. Not that you do that, but many do something similar. The math and technology are not our weak points when it comes to security; it’s us.