A good password should be easy for you to remember, but difficult for anyone else to guess. But we're often advised - or forced - to create unmemorable passwords using rules that confuse us and provide little protection against real threats. So to choose a good password, we must understand those threats.
Threats to your password
You can be persuaded to reveal your password - it’s called 'phishing' and it's very common. It can be stolen by 'malware' - a malicious program on your computer that watches keystrokes as you type - or if you use the 'remember password' feature on a web page. In any of these cases it doesn't matter how complicated your password was.
Websites with login pages store passwords in a file, and these files often get stolen. If the file isn't encrypted, nothing you can do will protect your password. If it is encrypted, obvious passwords could get revealed quite quickly. More complex passwords would be slower to break, but the attacker usually has all the time they need.
An attacker might systematically try user names and passwords at the login page of some popular online service. This is called 'brute force' and it's preventable - the page should lock out further attempts after a small number of failures. But many don't, so this is a real threat. Here, using a strong password can help protect you.
What makes a strong password?
Two of the most commonly used passwords are '123456' and 'password' - very bad choices as they would be among the first to be tried by an intelligent attacker.
The ideal password is a fairly random sequence of characters, and extra length is usually more important than a wider range of symbols. But creating your password in this way is not always the most ‘human-friendly’ approach as you may find it tricky to remember.
Instead, one of the best techniques is to choose a memorable phrase containing the same number of words as the desired password length in letters (usually this is at least eight characters) and use the first letter of each word to create an acronym to use as your password. The chosen phrase should not be well known, and using capitals and lower case can add quite a lot of strength, but substituting numbers for letters or adding special symbols doesn’t make much difference.
For example, the phrase 'the boy stood on the burning deck until it got too hot' could yield a password of 'tBsotbDuigth', which is quite strong. The phrase is memorable even if the password is not, and the rule - capitalise every noun - is simple to remember, but results in unpredictable patterns in the password that make an attacker's job more difficult.
Don’t use the same password!
Finally, it's important to use different passwords for different activities - not necessarily for each site you use, but at least to segregate sensitive from non-sensitive services.
You might use the same password with different user names for commenting on multiple news sites or blogs, but you should have a different password for each bank and shopping account.
Taken from: http://www.bbc.co.uk/webwise/guides/choosing-a-password