Someone mentioned how they use the same password on a lot of sites. Let me give a short example of why that is bad:
Years and years ago, we got called in to fix a database where the original designer actually kept all the passwords in plain text. (We saw this all the time in the 90's)
The owner of the company, while seeking quotes on getting it repaired, actually sent the entire database and website to a whole bunch of contractors in Ukraine, Pakistan, India, Viet Nam, etc...
Not only did it have the passwords in plain text, it actually was integrating with clients' mail servers and file servers. To do this, they had a form where you could keep your own machine's admin credentials, etc.. in plain text.
So, basically, this brilliant "CEO" sent the usernames and passwords of all his users and all his clients and all his clients employees to random people all over the world. (and was confused when we refused to work with him if he didn't notify everyone of the security lapse. And our Lawyers said we couldn't even report it without getting sued!)
Anyway.... no matter how complex your password is, it just takes one ignorant egomaniac to compromise it.