We'd first have to differentiate people that write their password on post-its in an open environment. People that have the same password on all services etc.