Thanks for the suggestions
Many places it is still
requisted to use both numbers, special characters and capital letters.
BUT because such a password is difficult to remember, many user just invent one password and reuse it ! A bad habit
I have read that the most important is to have a very long password.
I have made up a long strange sentence, from which I can remember the password.
All that matters for active authentication is that you can remember it and it isn't easily guessed.
Active authentication can't be brute forced because any such attempt would appear as a DDoS attack (in the context of an authentication server), but also local active authentication like OS user passwords have limits to how often you can try in an arbitrary period.
All 'cybersecurity experts' who claim that having an element of randomness to your password are poorly educated. They or their teachers conflate an encryption key with a password.
Sometimes the terms are used interchangeably but they are very different in practice.
An encryption key is the solution to an encryption. Encrypted data is just data, not an authentication system. It just sits there, it can't have timeouts. It can (in theory) be brute-forced provided the enemy has your encrypted files.
That is why every sane and competent developer of secure systems does not let users choose their own encryption keys. They are generated for you and they are long (sometimes 512 bits or 64 characters long).
As this breach may show (I don't know if it's real or not), keeping it in your head is a lot safer than trusting a company, and if they are syncing your passwords over the internet through their own servers that's trusting them.
Using the same password for everything is certainly dangerous because whenever you setup a password for a remote authentication server (say Zooville) they may or may not be able to keep that password safe.
Using a nonsense password doesn't help with that problem at all, except insofar as it reminds you that you should generate a new password for each authentication server.
Best = Use passwords that you can remember with no clear pattern, size doesn't matter. Problem is no real person can remember a way to do this.
Second Best = Have one password you can remember, long enough to be used as an encryption key. That is the access to a local file containing the unique passwords of all the different credentials. Doesn't matter if they are nonsense or not because you aren't trying to remember them. Then backup the encrypted file to a cloud sharing service.
This is not trusting the cloud sharing service with your passwords, it's just trusting it to sync a file. So long as your single memorized password is long enough brute forcing the encryption would be unrealistic.
If you don't feel the need to sync the file, all the better.
If you find some open source software that manages the passwords for you LOCALLY that is just a convenient form of this strategy. I have never felt the need for such software, a simple text file works for me.
Not Good = Trusting a company to keep your passwords either by trusting their staff and server administration or by trusting their proprietary software that may be piping your info back to them secretly.
Absolute Worst = Using the same password for everything. The first database to be compromised breaks your entire universe.
Notice how having random characters and lack of dictionary words doesn't ever enter into the equation. It's a red herring. The cybersecurity equivalent of wearing a tin foil hat.
99% of hacking happens when someone gets access to your password. None of it (statistically speaking) is due to brute force decryption. Anything that makes you write down your password on paper is a bigger threat than having a memorable password.