Pretty much everyone understands the basic point of a password; a word known only to yourself, which controls access to your files or forum account or whatever. You probably had a few run-ins with your school's Head of IT/Comp Sci or Information Technology Manager or whatever fancy title they give the most senior -sometimes the only- faculty member who knows how to fix the computers until you learned to pick a password that wasn't guessable, and stop typing it in the instant you saw someone peering over your shoulder. But out here on the grown-up world, you're up against more than just some annoying little boy with nothing better to do than make your life slightly difficult, and password security is a much bigger issue.
I'm going to start by explaining some of the tricks you'll be coming up against, then I'll tell you how not to get screwed over by them.
Typical Avenues of Attack:
Brute Force, or 'Dictionary' Attacks:
The least sophisticated form of attack, by which a would-be cracker uses a simple program to fill the password box with a string of random letters and numbers until it hits the right combination. More sophisticated examples run through lists of existing words -names, TV shows etc- before resorting to random strings, but it's still a time-consuming process, even more so for servers that allow only a limited number of login attempts before blocking access for a while. Nevertheless, the longer and more complicated your password is, the more you reduce the odds of them getting it right the first time.
In its simplest form, an email purporting to be from the forum administrators or your bank etc, claiming they need your username and password to perform some system maintenance task or other. These aren't especially common now, thanks to increased public awareness that under no circumstances will a legitimate organisation ever actually need to ask you what your password is.
A more subtle variation involves an email purportedly from a site like Amazon with a link to a special offer, which will lead to a fake login page that captures your details. The best defence against these is to always look at the address bar before logging in when you follow such a link; the URL of the real site is the one thing that can't be faked.
This is a very broad term that covers a lot of things, but essentially it means obtaining illegitimate access to sensitive data by face-to-face persuasion. Basic social-engineering tricks include covertly watching someone type in their password, or asking to use someone else's PC on some pretext and grabbing stuff while their back is turned. A more audacious tactic is to steal or fake up an ID card, don a suitable disguise and simply brazen your way into the building, and then out again whilst carrying the file server! (Before you dismiss this as implausible, ask yourself just how hard you'd look at some guy in overalls carrying something heavy on a parcel trolley if you passed him in the corridor at work.)
Obtaining someone's username and password by bribery or coercion is also technically social engineering, albeit a variety that you are fairly unlikely to experience in real life.
I mention this avenue of attack only for the sake of completeness, as there's not a lot that you the user can do to prevent this. Your password is stored in a database on a server, often in plain text format, and itself protected only by a password and -hopefully- a firewall. If an unauthorised person gains direct access to that server by some means, they can copy the entire database over to their own machine. The person who runs the server is the one who'll get fired and sued for this rather than you, but all the same, prevention is better than cure; any data you have that could be harmful in the wrong hands should stay off browser-based online storage services like Google Documents.
Six characters is a pretty reasonable minimum password length for everyday use such as on forums like this one; hijack attempts are liable to be opportunistic and low-intensity, and the potential for damage fairly limited. Provided you don't pick anything stupidly obvious like 'password' or your username, you can probably get away with something fairly simple like your dog's name or your favourite hero unit from DOW or whatever. Something like your Paypal account, however, is a very different matter.
Of course, in an ideal world you'd have a different password for everything, each one no less than twelve characters long and made up of both lower and uppercase letters, numbers and special characters. But of course, certain compromises have to be made for the sake of your ability to remember them all; few people could reliably recall more than two or three different ones. The trick is to make them hard to guess or dictionary-attack, yet easy to remember. The registration number of your car or your postal or zip code are two good candidates, as is your social security number or its local equivalent up to a point; the latter can be used for identity fraud, but only in conjunction with your real name, as it usually needs to be backed up by photo ID. Alternatively, if you have the dubious distinction of fluency in l337-speak, it can create nearly uncrackable passwords from any word translated into it.
Finally, if you take away nothing else from this tutorial, remember this; a strong password is the beginning of good computer security, not the end. Never let anyone you don't know use your home computer unsupervised, or your work computer at all, and shield your keyboard if you input them on a PC in a public place like the library or an Internet cafe. If you instruct Firefox to save your passwords, use the Master Password function and set it with the strongest one you can think of. Pay attention to the address bar when following links in emails, and if it claims to be sending data over a secure connection, look at the little status bar along the bottom of the browser window; unless you see a little padlock icon, it's not as secure as they want you to think. If you keep scanned copies of debit or credit card receipts, bank statements or anything else with the card details on, black out the card number and security code with a felt pen before scanning them.