They're easy to remember and hard to crack
Like many companies, we define our policies so that they require complex passwords that need to be changed more often than users would like (normally every 30 days).
Our suggestion to users has always been to pick a passphrase — that is, a sentence or a phrase — rather than a password. A sentence, a phrase, is normally easier to remember because we do something called "data chunking" that lets us remember a group, or chunk, of related data.
While passphrases are inherently easier for us to remember, passphrases are complex for computers because sentences have capital letters, spaces, punctuation, and sometimes even numbers. The longer length of passphrases also helps. Even something short like "Viva Las Vegas" is 14 characters with three types of characters.
Inspiring phrases, funny sayings, bible verses, lists, and even a line of code can all be good passphrases. Just like with passwords, though, you want to avoid easy-to-guess passphrases such as those containing personal information or famous quotes.
If you'd like to learn more about passphrases, Microsoft published the three-part series “The Great Debates: Pass Phrases vs. Password” which has a lot of helpful information.
You can find the this three-part series here:
The Great Debates: Pass Phrases vs. Password - Part 1