Passwords can be the weakest link in a server security deployment. Take great care when you select a password. A strong password has the following characteristics:
Is at least eight characters long.
Combines letters, numbers, and symbol characters within the password.
Is not found in a dictionary.
Is not the name of a command.
Is not the name of a person.
Is not the name of a user.
Is not the name of a computer.
Is changed regularly.
Is different from previous passwords.
Microsoft SQL Server passwords can contain up to 128 characters, including letters, symbols, and digits. Because logins, user names, roles, and passwords are frequently used in Transact-SQL statements, certain symbols must be enclosed by double quotation marks (") or square brackets ([ ]). Use these delimiters in Transact-SQL statements when the SQL Server login, user, role, or password has the following characteristics:
Contains or starts with a space character.
Starts with the $ or @ character.
If used in an OLE DB or ODBC connection string, a login or password must not contain the following characters:  () , ; ? * ! @ =. These characters are used to either initialize a connection or separate connection values.