Not less than seven characters, although passwords can be as many as you want, and considering the advances in "cracking," they really ought to be more like twelve; use no less than three types of characters (uppercase being a type, lowercase being a second type, numbers being a type, and symbols being a type) and not similar to the account name (for example, "jsmith" shouldn't use "Jsmith1" as the password even though it is seven characters and of three different types it is too easily "cracked".
They don’t have to be terribly cryptic and recent research seems to suggest it's better to not be, but longer passwords are better. Things like "Highway-299", "Steiner-Flat" or "Plummer-Peak" would work. Of those, "Plummer-Peak" is the least secure in that its just two basic English words with a symbol between. Password cracking programs would guess it pretty quickly. "Steiner-Flat" has a less common word so it's somewhat better and "Highway-299" is about the same with a common word and (semi) random number. Password cracking programs would take a little longer with those.
Fifty7-Chevy! is getting a little better. It is an easily remembered phrase (at least to a car buff!) and has more combinations of words, numbers and symbols.
Following the "longer passwords" idea, things like "Boogieboarding-surfing" or "Sixties-moonshots" could be better. They're not common English words (or they're at least compounds of common words) and they're pretty long but not too difficult to type. Mis-spelling one of the words adds more complexity for a password hacking program to get through, so "PineNedles-and-cones" or "RiversAnd-Strems" would be good candidates for passwords.
Another consideration is to NOT use the same password for everything. I've seen it several times now that a person used the same password on his or her email, Facebook and even bank account. Someone guessed, or otherwise cracked the email password and caused all sorts of problems for them. Still another consideration is that even if you don't have anything you are worried about other folks getting into, your email account sits on a server with a lot of other email accounts. If someone cracks your email account and uses it to send a ton of SPAM, that gets our email server on several "blacklists" and then nobody can send email outside of TCOE.