On reflection
Every penetration kit probably has the complete Finnish dictionary as potential passwords. Also backwards and ROT13.
The argument really is that you may be unlikely to crack one person's account by guessing the name is "Smith", but if there are 1000 people's accounts then "Smith" will probably get you at least one working one to abuse.
Do people remember names of their schoolteachers? I'm sorry, I mostly don't. But it's a time in my life I don't like to think about. Surely that isn't uncommon.
If it must be passwords and must be cryptic then human nature demands that they are short and you can write them down. Or use a barcode on a card.
If system A demands >= 8 characters password and system B allows <= 8 characters password then probably you can set the password of each to "penetration" but system B will treat it as "penetrat" and will let you type "penetratwrong" and still let you in. Or maybe it will be "penetran".
SCO UNIX did not allow "moscow" as a password becaause it contains "sco" as a substring. And when set to reject real words or numbers, it sometimes objected to hexadecimal strings, so I set passwords in bulk as "0qz" plus a random hex number. Then when I had to change them all, I made them a random hex number plus "qz0".