These days a strong password should have at least 12 characters of length. The more the better, because if an attacker does not know anything about our password, they have to try every possible combination and the options increase exponentially!
While it's a good idea to increase the entropy in the characterset you're using for your password (like, how many options there are for a single character in the password if an attacker had to guess all possible combinations), it only makes sense if it's truely random.
Humans are actually very bad at thinking of randomnes.
Most of the time people replace a e with 3 or a with 4 or just put an uppercase letter at the beginning or a special character at the end. These patterns in 'human-generated' passwords are so common that it actually makes them easier to guess for the attacker.
When in doubt, choose a longer password instead of adding obvious numbers or special character.
Use one password for one account. This is maybe the most important rule in password security. In case one account gets hacked, the attacker does not automatically have access to any other accounts. If the database of passwords gets leaked, you can be sure that only that one account's security is affected. This happens more often than you think without providers knowing about it!
We already know humans are bad at randomnes. That's why it's important to keep an eye on personal biases in our passwords. No birthdays, names, street addresses, pets or anything that could be related and guessed by someone who can do a little research on social media about you!
Think of pass phrases as very long passwords that are compose of 5-6 random words.
Since they are real words our brain has an easier time remembering them, but they are so long that it would be increadibly hard to guess them. The random constellation of words is important, too, since we don't want the phrase to appear in any written media on the internet (which an attacker could use for so-called dictionary attacks). So no song lyrics, movie quotes or poetry!
Use a password manager to keep track of your passwords. You don't have to remember each individual password, just the master password for your manager. It will also generate passwords or passphrases for you. This makes having one password per account really easy! A good cross-platform and open source password manager is KeePassXC.
Sometimes sites force us to change passwords. While this is a good idea in general to change passwords every 6 months or so, it most often leads people to choose worse passwords every time because they have a harder time remembering them. It's not strictly necessary if you use a strong, long password that is unique. If a software makes you change it, use a password manager to keep track of them.
Browsers save passwords unencrypted and a malicious plugin or website could exploit weak security and get access to those passwords! Use a password manager separate from your browser.
Do not share passwords with others! Check if you can set up a team account or something where every person has their own account and password. If you absolutely have to, make sure it's very strong, like a 6 word pass phrase, and share it over an ecrypted channel (like encrypted email, signal). It also makes sense to change a chared password regularly since it it more prone to leak.
When in public places (or anywhere, really) make sure noone is watching you typing in your password. This might seem paranoid, but it is an important measure against more IRL types of attacks in the realm of social engineering.
It is highly recommended to have a password on you computer and phone (or even encrypt them). Usually you are logged into your online accounts on your devices. They can get lost or stolen and then an attacker could use the accounts that are open. Have your computer and phone self-lock after a short time frame and never leave them unattended, especially in public places like cafes or libraries.