Today, we are bombarded with a plethora of 'recommendations' on how to choose a good password and they all seem at best random and at worst contradictory. There are explicable reasons for this, albeit no neccesarily good ones.
Each recommedantion is designed to defend against a particular weakenss with the whole password-based approach to authentication. But because each approach only defends against one specific vulnerability, it leaves itself open to all the other vulnerabilities. So along comes another recommendation to deal with that, and the whole vicious circle repeats itself. So lets lift the lid on what's going on, to see how we can improve things (plot spolier: don't use just passwords!).
If you have to remember a password -- and you shouldn't have to do that except in a couple of limited cases, see later -- then you should choose one that is "long and strong".
To make a strong password, combine three random words with some punctuation and numbers. For example, combine the three words potato, carton, newspaper to get the strong password "potato.carton3newspaper".
Historic advice about passwords was constrained by a combination of technical limitations and 'organisational culture'.
The first limitation, technical, resulted in constraints on password length. Even as late as the early 90s, the memory and disk hardware that computers needed to work was still relatively expensive, and so it couldn't be considered a 'consumable resource' in the way it is today. There the software that ran on them couldn't take quite the liberties that developers can today [the subject of another post!] . Every byte cost money, and devoting any of it to something not obviously required ("who's going to remember a 20 character password ?") wasn't going to happen: so passwords were limited in length.
With only 8, 10 or 12 characters to play with to store the password, it was essential to mix those characters up as much as possible to make it difficult to guess the password, hence all of the nonsense about "must contain upper case, lower case, numbers, 'special characters', etc." ("All characters are special" -- @troyhunt). But that results in passwords which are difficult to remember, and as a consequence, produces an entirely different set of vulnerabilities.
Because passwords were difficult to remember people, entirely understandably, wrote them down and reused them across multiple systems. The latter activity meant that when one systems was breached, the attacker had a fair chance of getting hold of a password which would work on many other systems. The former behavior increased the risk that passwords could simply be easily stolen, exacerbating the latter problem.
To deal with these problems, 'rules' were developed. But first to backtrack a little.
When it was realised that access to business applications were spreading out within organisations: increasing availability of direct access to finance and HR system by department managers, and even all members of staff, instead of access being restricted to just those in the HR or finance departments, folks who had audited those things in the way that they had done for decades suddenly realised that this new-fangled 'IT' was now also in-scope, to use that phrase. But they had no particular understanding of technology and its vulnerabilities. Therefore they had no particular expertise in developing mitigating strategies to defend against these risks, and just made up their own.
No one is quite sure where the mandate to "change you password regularly" came from, but it's been embeded in audit requirements as long as anyone can remember. As alluded to above, regulary changing your password may defend against one kind of vulnerability (a breached password is like to get changed soon, reducing the window of opportunity for it to be exploted) but it complete fails to recognise the more fundamental problem which is that people are really bad at choosing passwords: coupled with the restricted set of passwords that people can construct (the 8 or 12 character limit) and it was almost inevitable that folks would pick passwords like 'p@ssw0rd' or 'qwerty123'. When you pile on top of that the need to change passwords every month, or whatever, it was entirely forseable that people would simply change their passwords to 'p@ssw0rd1' or 'qwerty124', thus adding absolutely no additionall security wghatsoever, and sometime actually reducing it as folks struggled to meet increasingly absurd requirements designed to meet an entirely flawed security model.
@troyhunt has developed a website where he inflicts spammers to an insurmountable challenge to meet a never-ending series of challenges to create a secure password. It's a great way of tying-up spammers into knots, and while they are wasting their time there, they're not scamming vulnerable victims.
If you go and have a play, you'll quickly realise how absurd these kind of requirements are!