passwords strength ultimately depend on its length and combinations (uppercase, lowercase, numeric, etc.)
passwords better be memorized so that you do not have to write it down which may cause leakage.
password should not include personal data like, birthday, address, phone, etc.
nine characters passwords usually can be cracked between minutes to a month.
nist.gov of US Department of Commerce do NOT recommend you change your password regularly. change only when required, in case of breaches, etc. because every time you change passwords, you will tend to write it down.
if you have to write down password, use password manager, like buttercup
refs
https://haveibeenpwned.com/Passwords
https://www.darkreading.com/identity-access-management-security/nist-drops-password-complexity-mandatory-reset-rules
https://nordpass.com/most-common-passwords-list/
https://xkcd.com/936/
https://pages.nist.gov/800-63-4/sp800-63b/passwords/