I agree that all that has happened is that a password was compromised. If he had any personal information in email archives in that account, etc, well, then he may be well and truly screwed.
I agree with the idea of making the password hard and that it is okay to write it down, especially if he pretty much only uses it from home - although sticking it in your wallet behind your drivers license (or similar) is fine as well.
Don't rely on the originating IP. IP injection and email injection are trivial to do. If I was doing something like this, I'd use a Nigerian IP address just to give a nod to those who figured it out.
The important thing to figure out is how the password was compromised. Was it just a brute force attack and he was using a weak password or perhaps his computer was infected with malware and his data was harvested from there or maybe he was foolish enough to use a public use computer that wasn't secure or ... You get the idea.
Oh well, back to prepping the course I am teaching next term. A grad CS course in secure programming...
quick edit: here is an acceptable set of hints for creating passwords. Don't give much credence to the first section "Tips" but the next two sections are really good. Mnemonic devices are your friend!
http://www.cs.umd.edu/faq/Passwords.shtml