The best passwords are completely random—strong but almost impossible to remember. This report from the National Institute of Standards and Technology (NIST) suggests a better solution—long pass phrases.
Entropy is a measure of password strength. The more entropy a password has, the harder it is to crack. Many systems enforce dictionary and composition rules (numbers, mixed case, punctuation) on short (less than ten character) passwords. This graph on page 23 of the NIST report shows that dictionary rules do not improve longer passwords, and the boost from composition rules is fairly small. A simple twelve character pass phrase (a-z plus spaces) is as strong as an eight character rule-based password, but can be much easier to type and remember. Throw in one digit and you’ve got a very strong credential indeed! I’ve written a quick three step approach for the UF campus system (which unfortunately does not allow spaces).