Hmm. Eggs in the basket is not my preferred method, but it might suit some types of user/business.
I tend to have three types of password. Very strong (15-30 characters depending on any limitations) for router and web accounts that are critical, such as admin access to websites. Strong (10-20), usually made up of 2-3 words known only to me and a random number for things like online purchasing, and weak 8-10 characters for protected files.
I'm the only user of this PC, and that's the best security of all. Know who uses what, and what access they have to any systems. Also apply group security according to risk / impact / user savvy.
Regarding the GCHQ advice, I thought it less than sensible to the have the 'leading' IT security organisation (or the one we all think should be leading), giving advice to relax. That should come from IT management on a business by business or mission by mission basis.