For critical websites such as email, banking and credit cards accounts you should change your password every three months. Put it on your calendar to remind yourself. You might also consider changing the password on sites that have a lot of personal information, such as Facebook.
A good password should contain at least eight characters or more.
Your password should be a combination of letters, numbers and symbols.
Don't use personal information such as your birthday, driver's license, passport number, or your name.
Password hacking software automatically checks for common letter-to-symbol conversions, such as changing "and" to "&" or "to" to "2" so don't think you are fooling anyone.
Don't use dictionary words or typical phrases, words spelled backwards, sequential, or repeated characters (1234 or 2222).
Now, check your password. Is it strong? Microsoft has a place to check your password strength. ☺