I have long wondered why there is so much confusion over choosing strong passwords. I mean, I don't always do it, but its not that difficult to figure out. First of all I never use ridiculous garbage passwords such as "aJKEA43%@#5289sl2" that people like to use. This just means there is a book somewhere full of passwords that has to be accessible to various people.
Passwords are made of tokens. These tokens are usually thought of as characters from the alphabet, numbers, etc... The strength of passwords is usually thought of in terms of length and number of tokens possible at each position. The length makes a lot more difference, so if your passwords consist of between 6 and 10 tokens and each token can be one of 100 characters (a-z, A-Z, 0-9, !@#$^&*()_+ etc....) then the number of possible passwords in that range is 100^10 - 100^5.
However if you use dictionary words such as "wooden" this will count as only a single token and not the 6 you intend. This is because smart cracking programs will not try everything such as "..., woodel, woodem, wooden" but will use dictionaries instead. By using dictionaries, attackers increase the token count significantly, but reduce the effective length of the password. So if your password is two words long (woodenhorse for instance), and there are 50,000 common words in the English language, it will take at most 50,000^2 guesses. That is not many for a computer.
Good passphrases
If you simply pin together words, each word becomes a token and as this practice becomes more common, its no safer than short random passwords. But this can be beefed up significantly by simply throwing in some entropy. For instance, if you have a space between two words, now your two words have to be tested both with and without a space. If you have two spaces, that has to be tested as well. Instead of spaces if you use percent signs, again things get less likely.So basically you can make simple passphrases that are not simple to crack if you understand how password crackers think.
Instead of "magiccarpetride" (3 tokens) use intentional misspellings, channel your inner dyslexia, add extra characters, etc...
"magiccarpetride" -> "jamic. .KRPT. .ride"Magic becomes jamic, words end with a period and begin with a period except on the ends, KRPT is carpet with no vowels and in upper case. This is still using tricks that could be tried by a computer, but there are so many possible variations of these types of tricks, that it quickly becomes untenable to crack passwords by trying all possible combinations of these types of things. For instance:
"magiccarpetride" -> "maAgi ccaArpe triIde "In this one, double the first vowel in a word, lower then upper, alternate spacing 2 spaces then one space and move the space from the end of the previous word to the beginning of the next.
The variations are infinite, replace the first letter of each word with xz, remove the last letter, use no spaces but add them all at the end, or the beginning, and yes even using numbers for letters or vice versa these things all add to the complexity but simply exchanging letters/numbers or putting 1 at the end is not enough.