Advice:

• Never use a password that is easily guessed by those who know you, e.g. don't use names of members of your family or pets.
• Never use a numerical password that is associated with you publicly, e.g. don't use your telephone number.
• Never use a mixed number/letter password that is associated with you publicly, e.g. don't use your present vehicle registration plate.
• Never use your name or User ID also as your password - or "Fred" or "Password!"
• Never use passwords containing complete words, in any language.
• Never let anyone see what you are typing - either from the screen or the keyboard - when logging on in a public place such as an Internet Cafe.
• Never tell anyone your password.   Did you know that someone can copy or remove your email before you get to it, if they know your ISP logon and password?
• Never re-use the same password you have used the previous twelve times.
• Never post or write down your password in obvious places.
• Never embed your password in any automated logon procedure.

Good Practices, if the system allows it:

• Change your password at least every 90 days.
• Use a password that contains a combination of numbers and letters
• Use six characters or more.
• Make your password complicated but easy for your to remember.
• When creating your password, think of a memorable phrase, e.g. "The Quick Brown Fox Jumps Over The Lazy Dog" Use the first letter of each word and convert some into numbers that resemble letters, such as in this example: tq6fj0tld.  Some systems differentiate between UPPERCASE and lowercase characters, so mix some of those in, too, where possible, e.g. Tq6fj0TLd

Amazingly, one well-known UK Bank forces letters-only passwords, while another provides you with an unchangeable password that is all numbers!