This is a good article on password cracking: http://arstechnica.com/security/2012...under-assault/
Points to take away:
1. don't re-use the same password at multiple sites. If/when one site gets compromised, you want the damage to stop there.
2. don't rely on "mangling" a word (e.g. g0lfba11 in place of golfball) or simply tack on numerals or symbols (kittens!!!1). They're wise to your tricks
3. If possible, avoid any dictionary basis for your passwords at all. To make this easier, consider using a password-manger software like LastPass, or a fingerprint scanner & software (I use an Authentec Eikon Solo for this), so you can use truly strong, lengthy passwords that are unique for each site, without having to remember them all.
4. my tip: if you can get away with it, add at least one "special" character that wouldn't be found on a normal keyboard. For example, hold ALT and type 1098 on the keypad, and when you let go, you get a Æ (in Windows, anyway). This is a game-changer for a ******* since they're almost certainly going to crack for the standard keyboard characters only. I realize this isn't feasible for everyone (laptops, phones). Some sites will not allow special characters, either.
The article isn't just another article on how to pick a strong password. They show how crackers get their hands on literally millions of passwords at a shot, brute-force them on specially-constructed systems armed with multiple GPUs, and learn from the results so they can refine their strategies and algorithms. They also keep accumulating more and more "hashes" (basically digital fingerprints) of the top tens of millons of passwords that people actually pick in real life.