Following this guidance, one might create a password like "P@sswrD1!" that looks complex but is easy to guess, thanks to such common substitutions. Burr also wrote that users should change their passwords every 90 days, but that led user to make only small, incremental changes, like updating to "P@sswrd2!" or something equally easy to guess and lulling users into a false sense of security
Apart from this, "We recommend using at least 15 characters in your passwords, as stronger computers can crack shorter passcodes quickly, as well as using upper-case and lower-case letters, special characters and numbers. Don't use the same password in two places (especially with the same user name or email address) and store them all in a password manager."
Too bad the one word example's they give on the link (in the 2nd to last paragraph above, if you go to that site) for "iH82wkl8" would be cracked by a computer in 2 hours or less - so not really a great example. I like the "Dice" method mentioned by Peterkendrick. I use a similar method of a phrase ranging from 4 to 7 words of variable lengths (can be 4 to 7 letters) and then jumble up the phrase so it's not a recognizable phrase. For instance "sky high fly you into" would take a ridiculous amount of time (checked on this site (https/howsecureismypassword.net/) takes 41 Quadrillion years) on normal computers to "crack". Whether that's true or not, I don't know for sure, but this is similar to the Dice Method. Not sure websites allow you to just do lower case letters or whatever for the password. They have their own rules of what you "need" to do in order to be safe, and most of the ways would get cracked in no time flat. For instance, they would require you to have minimum 8 letters, one captitalized, one symbol, one number, tc.