Some sites need strong PWs; others do not... ?

That's correct. Using strong, unique passwords for all your sites is the secure way to go, and 1Password makes it easy — as danco described. But it does nothing to prevent spam sent from others' compromised machines.

When you have time, I'd encourage you to read Troy Hunt's excellent post which explains password reuse as well as how and why 1Password protects against it:

The only secure password is the one you can’t remember

I hope that helps. Please let us know if you have any other questions or concerns. :)

You are correct. A targeted personal attack could use much more information in a cracking attempt. However, the real issue is that password crackers already know about pretty much all the systems that people use to come up with passwords. Humans are notoriously bad at coming up with anything truly random, and anything short of random makes it that much easier for a computer to crack.

Dan Goodin wrote a great article explaining what Steve Gibson ended up calling "the death of clever" because it helps us see that no matter how clever we think our password creation scheme is, chances are good that the crackers are at least as clever:

The RockYou list, and the hundred-millions-plus passwords that have collectively been exposed in its aftermath, brought to light a plethora of other techniques people employ to protect simple passcodes from traditional dictionary attacks. One is adding numbers or non-alphanumeric characters such as "!!!" to them, usually at the end, but sometimes at the beginning. Another, known as "mangling," transforms words such as "super" or "princess" into "sup34" and "prince$$." Still others append a mirror image of the chosen word, so "book" becomes "bookkoob" and "password" becomes "passworddrowssap."

Passwords such as "mustacheehcatsum" (that's "mustache" spelled forward and then backward) may give the appearance of strong security, but they're easily cracked by isolating their patterns, then writing rules that augment the words contained in the RockYou dump and similar lists. For Redman to crack "Sup3rThinkers", he employed rules that directed his software to try not just "super" but also "Super", "sup3r", "Sup3r", "super!!!" and similar modifications. It then tried each of those words in combination with "thinkers", "Thinkers", "think3rs", and "Think3rs".

Such cracking techniques have existed for a decade, but they work far better now that the crackers possess a more intimate understanding of the ways people choose passwords.

In short, computers are getting better at cracking passwords much faster than we humans are getting better at creating them. The solution is to use randomly generated passwords for all your online services. As we've said elsewhere, the strength of a password creation system is not how many letters, digits, and symbols you end up with, but how many ways you could get a different result using the same system. And there really isn't a better system at this time than a randomly generated password of the sort that 1Password's generator creates. That way there is no "shortcut" an attacker can employ when trying to crack it.

For something like your 1Password Master Password (which is key strengthened with PBKDF2 to protect against sophisticated, targeted attacks), we recommend Diceware. It's a great option for creating strong passwords that are still memorable. But for everything else that 1Password can remember on your behalf, you were correct when you stated above that 1Password "will enter your password just as easily for a complex one as for a simple one". So why not use the longest password each site will allow? :)

It is great that you are thinking about these things. Keep the questions coming.