Most authentication methods depend primarily on keeping a password or cryptographic key secret. Passwords that are easy for someone else to guess are effectively not secret.
Users tend to want to pick passwords that are easy for them to remember, which often means they are easy for other people to guess. Encourage users to pick passwords that aren't dictionary words and that aren't things people could easily find out about them (such as names of relatives or pets, their address or phone number, etc.). Use password cracking against your own password file to find the easily-guessable passwords.
Even if users are good at picking hard-to-guess passwords and keeping them secret, if the password is exposed somewhere else then it is also effectively not secret. The most common way passwords are exposed is during network communication. Use encryption (particularly SSL-enabled protocols or ssh) to prevent exposure of passwords.
One of the most common methods for bypassing password protection is the use of social engineering attacks to obtain passwords from users or trick system administrators into changing passwords. Educate users to distrust all requests for passwords (and don't ask for user passwords yourself; it's almost never necessary to know a user's password as a system administrator). Never accept third-party requests for password changes, and ensure that you properly verify the identity of users who are requesting password changes.