In today's day and age, it is highly recommended to use a passphrase, which provides extra security, instead of a password. Many attacks against computers and accounts rely on breaking weak passwords based on dictionary words, birthdates, and other easily guessable or accessible information. Passwords also tend to be less complex and easier to guess than a passphrase, which is usually in the form of a sentence, lyric, poem, or quote. Passphrases tend to include spaces and punctuation, which adds to the complexity of the passphrase and makes it more difficult to guess or steal. The goal is to strike a balance between remembering the passphrase/password and making it difficult for bad actors to guess.
The rule of thumb: create a long, personally memorable passphrase that is unique and matches the security requirements of the institution.
If you want to learn more about why longer passphrases make excellent passwords, take a look at this article written by Hive Systems, which goes over the time estimates it takes to crack a password.
Note: If a random mix of unrelated words works for you, this can produce a stronger passphrase, as the random factor makes it more difficult for a bad actor to guess it. There are many ways to create a mix of random words. For instance, there are tools available on the internet that can help, or you could open to random pages in a dictionary or another book to select unrelated words. Just remember that you will need to remember what you create.
Adversaries can crack a short, simple password with very little effort or time; making the passphrase complex and unique to you and that account makes it far more difficult for an adversary to access your data. If adversaries crack a passphrase, they will attempt to use it for every account they find that is associated with you, and even change your passphrase so that you can’t regain access to your accounts. Inconveniencing adversaries trying to steal from you is worth having unique passphrases for every valuable account.
Always remember that passwords should be fluently typed to combat against those "shoulder surfers" that often like to gain access by watching your fingers on the keyboard. Note: It's not rude to ask a person to look away from the keyboard while you authenticate into a system!
Note: The following phrase is to serve as an example only and should not be used as an actual password.
Good: the brown jug belonged to my mother
This phrase works well, as it more than meets the 16 character requirement and contains several words; this is very user friendly as well as it is an easy-to-remember sentence. However, this is not as secure as the next example.
Better: The brown jug belonged to my dear mother.
This phrase is a better password. It has additional components to it (a capital letter and a period) and is still a multi-word passphrase. This is a more secure passphrase than the first.
Please watch this short video for more information about passwords and authentication at DePaul.