How to Create a Strong Password (and Actually Remember It)
Passwords are still the front door to almost everything you do online — email, banking, social media, work accounts. Yet most people reuse the same handful of weak passwords everywhere, which is exactly what attackers count on. This guide explains what actually makes a password strong, the mistakes to avoid, and how to manage strong passwords without memorising dozens of random strings.
What makes a password strong?
Two things matter far more than anything else: length and unpredictability. A password's resistance to guessing grows exponentially with each character you add. An eight-character password can be brute-forced surprisingly quickly with modern hardware, while a sixteen-character password of the same type is effectively out of reach. Aim for at least 12 characters, and prefer 16 or more for important accounts.
Unpredictability means the password should not follow a pattern a human or a cracking dictionary could anticipate. "Password123!" technically has letters, numbers and a symbol, but it is one of the first combinations any attacker tries. Randomness — a genuinely unpredictable mix of characters — is what gives length its power.
The mistakes almost everyone makes
- Reusing passwords. If one site is breached, attackers try the same email and password on hundreds of other sites automatically. One reused password can unlock your whole digital life.
- Using personal information. Names, birthdays, pet names and favourite teams are easy to find on social media and are tried first.
- Predictable substitutions. Swapping "a" for "@" or "o" for "0" ("P@ssw0rd") no longer fools cracking tools — they know every common substitution.
- Short "complex" passwords. A short password packed with symbols is still short. Length beats complexity.
Passphrases: strong and memorable
If you need a password you can actually type from memory, a passphrase is a great option. String together four or five random, unrelated words — something like "otter-velvet-cargo-lantern". Because it is long, it is hard to crack; because the words are random, it is hard to guess; and because they are words, it is far easier to remember than a jumble of symbols. The key word is random: don't pick a famous quote or song lyric, which cracking tools already know.
Let a tool do the hard part
For accounts you don't need to type by hand, the best password is one you never see: a long, fully random string generated for you. Our password generator creates strong passwords entirely in your browser, so nothing is sent anywhere. Pair it with a password manager (1Password, Bitwarden, NordPass and others) that stores and autofills a unique password for every site. Then the only password you need to remember is one strong master passphrase.
A simple routine that works
You don't have to fix everything at once. Start with your most important accounts — email first, because it can reset all the others — and give each a unique, generated password stored in a manager. Turn on two-factor authentication wherever it is offered; even a strong password is stronger with a second factor. Then work through the rest of your accounts a few at a time. Within a couple of weeks you can move from "the same password everywhere" to a unique, strong password on every account, with almost no memorising involved.
Key takeaways
- Prioritise length (12+ characters, 16+ for important accounts) over fancy symbols.
- Never reuse a password across sites.
- Use a random passphrase when you need to remember it, and a generated random string when you don't.
- Store everything in a password manager and enable two-factor authentication.