A lot of data breaches are related to "social engineering" like just asking for passwords, as AFLM points out. It's a point Kevin Mitnick often made about how he penetrated so many networks. Or how many times do you walk down the hall of some office and see an unattended PC that hasn't been logged off or locked in some way? The human element will likely always be the weakest link in computer security.

Are cracking passwords even that necessary anymore? How many secret, zero-day (i.e. not yet publicly known) vulnerabilities are out there in actual software right now, like in the operating system or applications? You don't even need to log in to burrow into a network. You have a lot of highly educated computer science folks from Russia, Ukraine, China, Brazil, etc. who are hired to work on penetrating just about anything on behalf of governments and criminals alike. The trend for computer services, even for corporations, out into "the cloud" is worrying to me from a security/privacy standpoint.

I've personally learned to assume that computer networks will be hacked and have tried to adjust my expectations accordingly for my personal online activities. Like storing important computer files in external hard drives or thumb drives, unconnected to the Internet, when they aren't needed. Not keeping highly sensitive information in my webmail account for long. I try to use those one-time disposable credit card numbers for online purchases so that when--not if--someone steals a million credit cards from an online merchant or credit card processor, it won't do anyone else any good.

I'm not paranoid. It's not like I put tinfoil on my windows and sweep for listening devices every morning. I'm just accepting the situation and reducing my exposure to risk. I have no pretense that I'm somehow invulnerable to having my webmail or credit card account hacked or that my PC might become part of some spam network someday. It happens.

As far as picking passwords goes, I have been a longtime fan of Diceware--using dice plus a word or symbol list to create random, secure passwords that aren't just gobbledygook, like Rx5KL+q. I think most IT folks are realizing that from a real world perspective, those kind of gobbledygook passwords just aren't practical because they are difficult to remember, especially when our lives often have so many different resources that require a password. And the use of dice avoids the second most common method of getting your password--guessing based on knowing something about you.