Here are the rules I was taught.

Must contain upper and lower case
Must contain at least one number
Must be at least eight characters
If words are used then combine two disassociated words.

Example D0gBR1be (Dog Bribe)
Easy to remember and tough to figure out.


>>> I was wondering if when you say there is no standard, do you mean that the number returned is not a standard or the level of strength ASSIGNED to that number is not a standard (i.e. good, strong, excellent, etc.).
>>
>>Effective bit length of a password is a standard measurement. But their segregation into groups is artificial. On my keyboard, for instance, I find keys for ö ä ü and ß. I considers those keys to be characters and are would use them as likely as a b c, etc. in a password. That means, on my German keyboard, lower case alpha has 30 members and upper case characters have 29. On your keyboard you can only enter them by holding down the ALT key and typing their ANSI code on the num pad, or by switching the keyboard layout.
>>
>>There's also no standard how many bits a secure password should have.
>
>Depending on the real-world use password strength can be a really moot point. Even a password of just a few letters and/or numbers is sufficient if (as you already pointed out) some sort of account suspension or delay between attempts is applied. Bank debit / credit cards often have just a 4 or 5 numeric PIN backed up by account lockout after 3 attempts and some sort of intelligent monitoring of usage habits.
>
>In software applications one must also consider whether the attacker has access to the application itself and/or the password file. If you dont have access to these and some sort of account lockout is in effect then dictionary attacks, rainbow tables, and brute force attacks become all but impossible.
>
>The problem is rarely passwords per se but insufficient controls applied by the applications password checking procedures.