What consists of a good password?

Something that is simple enough for people to remember, instead of having them write it down on a post-it and sticking that to their terminal.

But ultimately, it depends on what's at stake. If the expected cost of cracking the password exceeds the value of having the password, the password is strong enough. Which means that for 99% of the website, 2 letter passwords (no digits, case or punctuation allowed), are more than strong enough. But there are also cases where a password alone isn't secure enough. (Some say, good security is based on three pieces of authentication: something you know (password/phrase), something you have (key, RSA number generator), something that's you (fingerprint, voice, retina scan)).