easily remembered is not what you want for a password, the longer the better with #$ caps etc. is what your want. Making them easy defeats the purpose, unless it's a "fun" account aka nothing of value to you.
Agree.
Let's illustrate.
There are 26 lower case letters in the alphabet, another 26 upper case letters, ten digits, and about 30-40 other usable characters. We'll round it out to 100 possibilities for each position in the password.
If you have a four-character password and use a mix of all ranges, that's 100 Million different password possibilities. Five characters? 10 Billion. Six? 1 Trillion. Eight? 10,000 Trillion possibilities.
If you can check 1 000 000 possibilities every second, that four-character password would be broken in about a minute and a half. Five characters would take about 3 hours. Six? 12 days. Seven? 4 years. Eight? Up to 400 years by such brute force methods.
But - if you only use lower case characters (i.e. only 1/4 of the range), someone can check all possible combinations of four lower case characters in half a second at 1 000 000 possibilities every second (there being about 500 000 possible combinations of four lower case characters). Five? 12 seconds. Six? Five minutes. Seven? About 2.5 hours. Eight? About 2.5 days.
Then: let's assume you've used a longer password, but based it on a simple word from a dictionary. And let's assume there are a million words in that dictionary. The password would be broken within a second using the same idea as applied above.
But you're smarter than that: you've capitalized a letter or two. So each of (say) eight positions could be capitalized or not: this gives 256 times more choices for the password than just the lower case original. Meaning that it could take all of four minutes to guess the password from the dictionary attack with random capitalization.
A few people do even more: they use a dictionary word, then do some easy-to-remember substitutions: "o" becomes "0" (zero), "E" becomes "3", and so on. If there were a possible substitution for each letter then each position could be the original or its substitute, another multiplier of 256 times more possibilities, slowing the cracking of the password to be as long as almost a whole day at 1 000 000 guesses per second.
How much complexity is reasonable? That depends on how valuable the information is you're trying to protect. You might know that for all of your passwords, you always capitalize the second letter, and substitute the fourth. But the guessing algorithm still has to try all the possibilities to be sure to cover the options.
I know some people who select two unrelated words (e.g. "happy" and "cast") and interleave the letters, up to eight letters (e.g. "h c a a p s p t"), then do some substitutions on that, e.g. capitalizing the first letter of the second word (hCaapspt), and substituting a "2" for a duplicated letter (3 if its in triplicate, etc): "hCa2pspt". If someone tries the Dictionary attack, it won't succeed. If they tried a brute-force attack, it'll take them a while to break it (maybe as much as 7 years using the approaches described above). Even if they knew to interleave two random words, that's a Trillion possibilities right there, and with the capitalization and substitutions it would still take a couple years to try every combination.
