Yep, most of our supposedly easy-to-remember-hard-to-crack strategies fall pretty quickly when we're informed that there must be a symbol - but not that one, that one, that one, or that one - and there must be a capital letter and there must be a number, oh and sorry your password is now too long. So now we need to remember our standard phrase AND the fact that for THIS website we couldn't use that symbol so we had to put in another and we had to stop after 6, 8 or 10 characters which meant we had to move the number to the front...
Passwords should never be stored as plain-text, but as a big long hash. So 'ThisIsMyPasswordForNatWest' becomes 'a64b8d3190050e4600ed3352cb05e5fb9a54c6dc' under a hashing system called SHA1 for instance, and you can't take that hash and reverse it and get the password. A per-account string of random characters should be added to the user's password too - this alone makes it virtually impossible to crack a password. So long as no website stores your password as plain-text then you're in the clear.
The problem is that you can't trust websites to not store passwords as plain-text, and you have no idea if a website is there just to suck up people's passwords and password strategies. Or even if a company has a website and just one developer decides to make copies of submitted passwords or figure out people's password strategies.
If you're into Computer Science and White-Hat Hacking in particular, read on.