A few years back if someone asked me how a secure password should look like I would have said: have between 8 and 12 characters and contain random upper-case, lower-case, at least one number and one symbol if allowed. Back then such a password was unbreakable with anything but the strongest super-computers. Anything over 12 was pointless and would just take more time typing which is annoying especially for those situations where you need to type it often (like your Windows login screen).
However, times have changed. Computers have become much more powerful and affordable and with the recent advancements in cloud computing brute-forcing a password has become a more viable strategy.
You may ask yourself what does brute-forcing means? It means trying every possible combination for a password until a match is found. For example, a brute-forcing program might start with the password aaaaa and work its way through all combinations until ZZZZZ. This is a very basic example as they are much smarter than this (like trying more likely combinations first).
So, how does a secure password looks like today? The answer is passpharse. We can have secure passwords by taking passphrases and turning them into passwords. Example: "I like strawberries!" can become 1L1k3Strawb3rr13s!.
What I did was take a phrase that is easy to remember, replaced "i" with 1 and "e" with 3 and used capital letter for first letter of every word. Now we have a password that is 18 characters long yet it's easy to remember and decently fast to type (with some practice). Compare this to something like z1XqV453tZ86!Ubn9. I'll let you decide which one is best.