The best passwords are easy for humans to remember and hard for machines to brute-force. Phrases of unrelated words tend to be ideal.
I used to memorize random passwords like bahopre3 (one digit away from one of my old passwords that was compromised). But random numbers and symbols add entropy less quickly than just adding words.
Something like "purple dog flowers" or "social squash Augustus" is trivially easy to remember, but surprisingly difficult to brute-force. If there are 1000 common English words, then each word is about as good as 2 to 3 letters. If you use one or more obscure words, the passphrase gets radically stronger. Despite having more letters, I've found that pass-phrases are faster to type than passwords, and rather than mess with capitalization, numbers, and symbols, which are all slow to type, I prefer to just add more words.
Also, best to use a password manager so that you only need one or two actual passphrases.
Works great until you have some security-czar who decides words are bad and bans dictionary words or anything more than like 3 letters long without a number/symbol from being any sub-string regardless of how long you intended to make it.
I also like rules where they say no more than 2-3 letters that are any other part of your account information. For example, at university I learned "WhatTheHeckThisIs
TheStupidestThingEver" is too similar to "Mat
thew" to be permitted.
Generally I've noticed the more certifications they have in their signature, the more absurd they will make/enforce the rules. People with 1-2 are okay, people with multiple lines wrapping on an email-signature are impossible to work with and find fault with everything including pre-approved whitelisted stuff.
