Recent events involving the scraping of personal information from social media sites such as the Facebook Leak and LinkedIn Leak should give us all pause to re-evaluate what we consider to be private information. Once data points such as cellphone number, personal email address, and birthday are collected and released in public data sets there is no way to make the information private again, therefore they should not be used as components of password construction. In accordance with best practice guidance from NIST, a robust cybersecurity strategy includes keeping abreast of the latest breach.
The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof. –IA-5 AUTHENTICATOR MANAGEMENT NIST SP 800-53, REV. 5