How to Create a Strong Password (and Actually Remember It)

Passwords are still the front door to almost everything you do online — email, banking, social media, work accounts. Yet most people reuse the same handful of weak passwords everywhere, which is exactly what attackers count on. This guide explains what actually makes a password strong, the mistakes to avoid, and how to manage strong passwords without memorising dozens of random strings.

What makes a password strong?

Two things matter far more than anything else: length and unpredictability. A password's resistance to guessing grows exponentially with each character you add. An eight-character password can be brute-forced surprisingly quickly with modern hardware, while a sixteen-character password of the same type is effectively out of reach. Aim for at least 12 characters, and prefer 16 or more for important accounts.

Unpredictability means the password should not follow a pattern a human or a cracking dictionary could anticipate. "Password123!" technically has letters, numbers and a symbol, but it is one of the first combinations any attacker tries. Randomness — a genuinely unpredictable mix of characters — is what gives length its power.

The mistakes almost everyone makes

Passphrases: strong and memorable

If you need a password you can actually type from memory, a passphrase is a great option. String together four or five random, unrelated words — something like "otter-velvet-cargo-lantern". Because it is long, it is hard to crack; because the words are random, it is hard to guess; and because they are words, it is far easier to remember than a jumble of symbols. The key word is random: don't pick a famous quote or song lyric, which cracking tools already know.

Let a tool do the hard part

For accounts you don't need to type by hand, the best password is one you never see: a long, fully random string generated for you. Our password generator creates strong passwords entirely in your browser, so nothing is sent anywhere. Pair it with a password manager (1Password, Bitwarden, NordPass and others) that stores and autofills a unique password for every site. Then the only password you need to remember is one strong master passphrase.

A simple routine that works

You don't have to fix everything at once. Start with your most important accounts — email first, because it can reset all the others — and give each a unique, generated password stored in a manager. Turn on two-factor authentication wherever it is offered; even a strong password is stronger with a second factor. Then work through the rest of your accounts a few at a time. Within a couple of weeks you can move from "the same password everywhere" to a unique, strong password on every account, with almost no memorising involved.

Key takeaways

Advertisement

Tools mentioned in this guide

Password Generator

Create strong, random passwords with a real strength meter.

Generators

Hash Generator

Generate MD5, SHA-1, SHA-256 and SHA-512 hashes.

Developer Tools