Bruce Schneier has an article on real-world passwords—specifically, he analysed username/password combinations (allegedly) phished off MySpace.
One quote I like:
We used to quip that "password" is the most common password. Now it's "password1." Who said users haven't learned anything about security?
Besides that, he has statistics on password length, top 20 most common passwords, and character mix (letters only vs alphanumeric vs digits only vs non-alphanumeric).
And the top-20 list includes a password I use! \o/ (in a couple of places that I don't consider particularly high-security).
As an aside, I wonder how many of those top 20 passwords are in common use on LiveJournal (and how many more were in common use before LiveJournal changed its password policies).