This is all just complete BS.

Trojan, virus, and worm authors have had great success attacking systems with weak and/or default passwords. Take IRC/Flood Trojan for example. McAfee’s virus profile states that IRC/Flood has over 120 variants and has infected over 60,000 machines in the last 30 days. IRC/Flood succeeds by checking for 22 different different easy to guess admin passwords (variants vary). Unfortunately, there are a lot more where IRC/Flood came from, W32/Tzet.worm, W32/Random.worm, and W32.HLLW.Gaobot.gen are in the wild just to name three.
The real question is why do these systems allow remote administrative passwords? If they must, why is no PKI used? These systems had minimal security, weak passwords is almost a trivial concern.

Hackers also have no problem compromising systems with weak passwords. Programs like L0pthCrack for example make the process simple and efficient. Creating a password-cracking dictionary is not even a challenge. Type the words "Creating Password Cracking Dictionaries", without the quotes, in to your favorite search engine. A comprehensive dictionary can be downloaded or created from scratch in short order.
L0pht requires access to a SAM file... not sure how your systems are configured, but mine requires SYSTEM a SID token to access either SAM file. And dictionary attacks? Did someone roll back the clock to 1992? Why not write a "Hacking with Telnet" tutorial next. Users should never be able to attempt more than a couple of passwords before being locked out.

Failure to apply such basic common sense like limiting attempts and restricting what/how users can login is a far more serious problem then weak passwords.

Would you crack this account in three guesses?
user: john.smith
pass: JOHNSMITH

I'd have bet a months pay on no. Passwords like johnsmiTh are even less likely to be guessed, yet still very easy for users to remember. This allows them to change their passwords frequently (which is more important due to accidental dissemination at cybercafes, other external systems, etc) while maintaining a low recovery requirement.

Seriously though... think about it, if someone that knows you very well stole your ATM card. could they guess your four digit pin? What makes you think they could guess an eight character password?

You have better things to worry about.

cheers,

catch

PS. It is however important that default passwords be changed.