The best passwords are long, unpredictable, unique, and private.
Long, complex passwords are the best defense against brute force attacks. Computers are fast. Attackers can test many possible passwords against your account in a short time. A few additional characters make a big difference. Use 12 or more characters.
Random or unpredictable passwords are the best defense against targeted attacks. Attackers scour the internet for your personal information. Attackers mine social media shares, newspaper archives, and other online sources for information that could help them guess your password. Avoid using personal information in your password.
Unique passwords are the best way to limit the damage of a breach or a successful attack. Attackers reuse known passwords from data breaches and hacked accounts. Use a different password for every account.
Passwords work as intended when you keep them secret. Treat them like your toothbrush. If you need help remembering your passwords, use a secure password manager in preference to writing them down or storing them in an unencrypted manner.