I am thinking of providing the following advice to users during password creation:
"Use a memorable phrase as a password with a mix of uppercase letter, numbers and special characters e.g.
Margaret Thatcher is 110% SEXY.
But please do not use too many repeated characters/numbers and avoid using personal identifiable information in the password such as username, email id, real name etc. "
Is this advice sound? What else should be included? At the backend I am using zxcvbn to check password strength.
Motivation for this advice is:
1. xkcd: https://xkcd.com/936
2. The password mentioned in the title was, as an example, suggested by Edward Snowden on Last Week Tonight show: https://www.youtube.com/watch?v=yzGzB-yYKcc