There are a lot of guides on the web which purport to tell you how to choose a good password. Unfortunately, a lot of them are simply wrong. In particular, guides which tell you to create a password by taking a normal word and then replacing some letters with numbers or punctuation marks are often unhelpful.
There are three problems with doing something like that. Firstly, you end up with a password that is often hard to remember. Secondly, unless you choose a very long word to bgin with then it's still vulnerable to a brute force attack. And, finally, people tend to be unoriginal in the way they make these substitutions and thus end up with a password that's already known to be used elsewhere. And you don't want to use a password that's known to be used elsewhere, because hackers typically start off with a list of known passwords when trying to crack an account.
So, what's the best way to create a secure password? Here are a few tips.
When it comes to passwords, size matters. Quite simply, the longer it is, the better it is. Longer passwords are harder to crack by means of a "brute force" attack (ie, trying every possible combination of letters and numbers), and are more liely to be unique (so they won't be in any knwn password lists). In particular:
Avoid using names, places, dates or any other common word or phrase. If you're choosing a 20+ character passphrase then there's a temptation to pick your favourite comedian's catchphrase, or the title of a book, or something like that. Just don't, OK?
If you absolutely have to use a shorter password (ie, less than 16 characters), then make sure you include non-alphanumeric characters. Unfortunately, some website operators impose an unrealistically short maximum length for passwords. If you have to work in that kind of environment, then you can make your password harder to crack by using spaces and punctuation in your password.
So, having said all that, what's the best way to choose a good password? It's simple. Pick three or four random words, none of which have a direct relevance to you. For example, "pink", "disposal", "telephone" and "bracket". Then think of a mnemonic that allows you to remember those four words easily. For example, you might picture the telephone that you use to call the garbage company being mounted on a pink bracket. It's a pink disposal telephone bracket. And now you've got a 31 character password that isn't a single word, includes non-alphanumeric characters, and is almost certainly unique. It's too long to crack by brute force, it won't be in any password lists, and it's easy to remember. Compare that with 'jEZa69wR', which is a typical random password (I used the default Wordpress password generator for that). Can you remember it easily? No. Is it crackable by brute force? Yes, within a few days. OK, so it probably is unique, and won't be in any word lists, but, even so, it's not really a very good password.
Here's a great illustration of all this, from XKCD: