Every time I read a password recommendation or policy, I get frustrated. It is always about their length and complexity, and they miss the real issue with passwords and how they get compromised.
So I wrote this small (non technical) paper on my thoughts on passwords and how I define a good password: http://dcid.me/texts/good-passwords.