Password Strength is dictated by the system the user is trying to authenticate against. People often shortcut the password policies to make the simplest password that passes the complexity requirements, not one that is secure.
In this article from the Washington Post, hundreds of government employees are using simple, easily brute forcible passwords for systems: https://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/
Weak passwords are often due to user frustration with systems requiring passwords to fit their policy, ie: “your password must have a capital letter and two numbers” and that makes users lazy, they find one password that will fit the complexity and re-use it.Passwords should be both easy to remember and strong. People often say that they can’t think of a password that both fits the password policy of the system as well as being strong and easy to remember. A truly strong password like: CEzvl7+4G@Og3Js!2vr is something that no one should be expected to remember.
Systems like LastPass allow us to generate truly strong passwords for services and, in combination with a two-factor authentication system, they allow us to only have to remember one truly strong password. As per the comic above from XKCD, creating a password by combining words together is harder for computers to crack but much easier for humans to remember as opposed to a password that only machines can remember.
However, the issue with a password made from word combinations is that often they don’t meet the complexity requirements of many systems and these systems, simply don't allow it. An augmentation of this, is to use words in combination with numbers and special characters. Such as: Blue21Cheese@knife. This type of password meets both the complexity requirements for many systems and is simple enough to remember. People can also use memorable words or dates.
Has anyone got any better ideas for password creation out there?
Ideally the world would do without passwords and have a zero knowledge solution for everything as the strongest password is one you never have to reveal.
But until then passwords are an evil that we will have to deal with for a few more years to come.