We have to rotate our password advice to family and friends every couple years or so. It used to be "use a random combination of memorable words with a number thrown in" a la "reddogbarkhard7". Now I feel like right after guessing the 10k most common passwords a hacker would immediately brute word combinations with a single integer ending.
The worst bias is letting the users choose their passwords. They should use a generator such as [1]. The reason is that the "entropy" is not a characteristic of a password but of the way it is generated. Computers are much better at entropy than humans.
Work sent around a stupid cardboard stand which was supposed to tell us all about being excellent at our work, and the checking processes required before sending anything to clients etc etc.
We were changing domains at the same time, so my new password root is now based on the first three characters of the first 3 lines of the thing, which included some punctuation, then the standard numeral to increment every 90 days.
My password was in plain sight for a couple months before I got around to binning it, which actually makes life a lot easier. Especially when you're not using it often enough for it to be muscle memory - which is the problem my parents face.
However, such an approach corresponds to a few dozens bits of entropy at best (some for the approach, some for the length of text used, and a few for the numeral depending on whence it comes).
As stated by zamalek, the trick to not memorizing many passwords is to use a password manager.
I agree that password managers are great. They let you use completely different passwords for each service, efficiently mitigating any compromise. Also, they tend to encourage you to use actually random passwords (using a generator).
However, most users will not bother, and getting them to use at least decent passwords would be a great step forward. Additionally, you still need a master password for your password manager.
Also you can't really rely on a free password manager (which is what users will generally select) to be a long-time solution. Either because they go out of business, change their monetization model, get hacked, whatever. It's one of those things that sounds good, but in reality is unable to gain critical mass for human reasons.
