These are the guidelines used by the CIS. The CIS is the Center For Internet Security.
- Use passphrases instead of passwords – Length is the most important aspect of a good password.
- Don’t use words related to your personal information – Avoid things that attackers can look up about you on the Internet.
- Limit using dictionary words – Use non-dictionary alternatives in your passphrases.
Furthermore, take advantage of the following options that you have today:
- Use Multi-Factor Authentication (MFA / 2FA) – Present two, or more pieces of evidence when logging into an account.
- Use password managers – Keep your passwords safe in a vault, without the need of remembering any of them.
- Enable account lockout mechanisms – Enforce temporary accounts lockouts after several consecutive failed attempts, or use time doubling login throttling.
Lastly, there are 2 additional points that are worth keeping in mind (borrowed from the Schneier on Security blog):
- Never reuse a password you care about – Even if you choose a secure password, the site it’s for could leak it because of their own incompetence.
- Beware of the “secret question” – You don’t want a backup system for when you forget your password to be easier to break than your password. Really, it’s smart to use a password manager.