You know that you will need to create a strong passphrase every time you create an SSH key, and you want to define a policy that spells out what a strong passphrase is. So, what makes a strong passphrase?
Use these guidelines for creating your own policy:
An SSH passphrase must be at least eight characters long.
It must not be a word in any language. The easy way to handle this is to use a combination of letters, numbers, and mixed cases.
Reversing words does not work—automated dictionary attacks know about this.
A short sentence works well for most folks, like "pnt btt3r l*vz m1 gUmz" (peanut butter loves my gums).
Write it down and keep it in a safe place.
Whoever convinced hordes of how-to authors to teach "Don't write down passwords" should be sent to bed without dessert. It doesn't work. If you don't want to believe me, how about a security expert like Bruce Schneier? From his essay "Write Down Your Password" (http://www.schneier.com/blog/archives/2005/06/write_down_your.html):
I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.
Easily remembered passwords are also easily guessed. Don't underestimate the power and sophistication of automated password-guessers. Difficult-to-remember passwords are also difficult to crack. Rarely used passwords are going to evaporate from all but the stickiest of memories.
I use a handwritten file kept in a locked filing cabinet, in a cunningly labeled folder that does not say "Secret Passwords In Here," plus my personal sysadmin notebook that goes with me everywhere. If any thief actually searches hundreds of files and can decode my personal shorthand that tells what each login is for, well, I guess she deserves to succeed at breaking into my stuff!