http://www.pcmag.com/article2/0,2817,2383890,00.asp
Not the best article I've seen about password protection.
Authentication (http://en.wikipedia.org/wiki/Authentication#Authentication_factors_and_identity) by use of passwords (a knowledge factor, something you know) is done in a few stages:
The user enters in the password they want to use for their account. The password is put through a crytographic hash function (http://en.wikipedia.org/wiki/Cryptographic_hash_function) which turns a user's password into a hash (Eg: 'passw0rd' when put through the hash function SHA-1 becomes '7c6a61c68ef8b9b6b061b28c348bc1ed7921cb53').
This hash is kept on the service which holds your account.
When you go to login later, you enter in your password just like before. This too is hashed and this hash is then checked against the one in the database associated with your account. If the hashes matches, it means the password that was entered was the same as the one originally used to create the hash in the database (assuming the hash function being used doesn't suck).
One of the reasons hashes are used is so passwords are not kept in plaintext (as-is) in databases is if they are compromised it makes it more difficult to obtain the original password used to create the hash and use that with the service. You can't just grab a hash and use it as the password for an account, because that hash will be treated as a normal password and it will create a hash of the hash to check against (which won't be the same). It also means administrators like me can view the raw user data of a database without knowing your passwords.
I think it's important people understand the mechanisms of how password authentication works, many important services from social networking, banks, government websites, eBay, other shopping websites etc. can rely solely on passwords. With so much at stake (identity theft etc.) I would hope people would care about how these things work as much as they do about how the safety features in a car work.
People should also avoid using the same password for multiple services because if one account is compromised, it's possible that an attacker can attempt to use the same details on other accounts such as a linked email or social networking account.
Also, symbols are a definite plus, in a perfect world I'd make them mandatory. They can dramatically increase the time it takes to for an attacker to brute-force a password and it can reduce their options in using precalculated tables (http://en.wikipedia.org/wiki/Rainbow_tables) in case they manage to actually steal your password hash from a service. A good service will use a salt (http://en.wikipedia.org/wiki/Salt_%28cryptography%29) to make those pre-calculated tables less effective, even if the user picks a weak password.
Avoid dictionary words where possible, a password comprised of mostly dictionary words makes your password vulnerable to a dictionary attack (http://en.wikipedia.org/wiki/Dictionary_attack).
Though, in reality, a lot of services will limit the number of password attempts before locking you out for a set period of time. The trouble really comes in when an attacker has gotten access to your password hash, from either hacking your computer and taking a saved password or breaking into a service and extracting it from a database. In those scenarios, they can brute-force them or use pre-calculated tables using their own equipment and their own time without interacting with the target any further.
However, the future really is in multi-factor authentication (http://en.wikipedia.org/wiki/Two-factor_authentication). An example being a bank account with a password (something you know) and a token (something you have).