"It depends."
If the share doesn't need to get files sent to it from the outside, then make it read-only. They should all be read-only shares, unless you have a good reason to make them full-access. And even then, never share out the whole drive, just share out an 'incoming' folder or something.
Passwords should be at least 8 characters in length, should NOT be something that you will find in the dictionary, and should be at least a mix of numbers and characters. Something like rabbi123 is BAD, however, because that particular kind of dictionary-word + number combination is VERY popular. Stuff like frogw0rt or ilove9pins might work as a compromise, if users have bad memories.
