How to Create a Strong Password (And Actually Remember It)
Most passwords people use are shockingly weak. Here is the science behind strong passwords, the passphrase method, and how a password manager changes everything.
The average person has over 100 online accounts. The average person also reuses the same 3–5 passwords across most of them. This is the single biggest security vulnerability for most individuals — not sophisticated hackers, not zero-day exploits, just bad passwords.
Here is how to fix that.
Why Weak Passwords Fail
Before building better habits, it helps to understand how passwords actually get compromised.
Credential stuffing. When a service gets breached, attackers dump millions of username/password pairs online. They then automatically test those same credentials against hundreds of other services. If you reuse passwords, one breach exposes everything.
Brute force. Automated tools cycle through billions of possible passwords per second. A 6-character lowercase password has fewer than 309 million combinations — a modern GPU can crack that in under a second.
Dictionary attacks. Attackers start with common words, names, sports teams, dates, and keyboard patterns. "Password1!", "Summer2024", "qwerty123" — all cracked instantly from precomputed tables.
The takeaway: length and randomness are everything.
The Rules for a Strong Password
Security researchers and standards bodies (NIST, OWASP) agree on a few principles:
Length is the most important factor. Every extra character multiplies the possible combinations exponentially. A 12-character password is not twice as secure as a 6-character one — it is billions of times harder to brute force.
Use variety. Mixing uppercase letters, lowercase letters, digits, and symbols forces attackers to consider a much larger character set per position. A 16-character password using all four character types has over 10²⁸ possible combinations.
Avoid predictability. No dictionary words. No names. No dates. No keyboard walks (qwerty, 123456, zxcvbn). No substitutions (P@ssw0rd — attackers have tables for these too).
Never reuse. A breach at one site must never compromise another. Unique passwords are non-negotiable.
Minimum 12 characters for basic accounts; 16–20 for high-value accounts like email, banking, or your password manager master password.
The Passphrase Method
Here is the problem: a truly strong password like Xk7#mP2qL9vR!wNz is impossible to memorise. This is why most people give up and go back to weak passwords.
Enter passphrases. A passphrase is a sequence of random words — for example: correct-horse-battery-staple. That phrase was made famous by the XKCD comic, but the principle is sound.
Four random, unrelated words give you enormous entropy (security strength) while being far easier to remember. The key word is random — "ilovemycat" is not a passphrase, it is a predictable sentence. Use a dice or a random word generator to pick words with no connection to each other.
For most accounts though, you should not be typing passwords manually at all — which brings us to the most important piece of advice.
Use a Password Manager
A password manager stores all your passwords encrypted behind one strong master password. It generates unique, random passwords for every site and fills them in automatically. You only need to remember one password.
This is the only practical way to have truly unique, strong passwords for all your accounts without going insane. Recommended options:
Bitwarden — open-source, free tier covers unlimited devices, and the code has been independently audited. This is the best starting point for most people.
1Password — polished apps, excellent family and team plans. Paid only, but worth it for power users.
iCloud Keychain / Google Password Manager — built into Apple and Google devices respectively. Convenient if you stay within their ecosystems, with no setup required.
Generate Strong Passwords Instantly
The fastest way to get a strong, random password right now: use our free Password Generator. Set your desired length (we recommend 16+ characters), toggle the character types you need, and copy the result directly to your password manager. Everything runs in your browser — your generated password is never transmitted to any server.
Read next: What Is My IP Address and What Does It Reveal About You? — understanding what websites see about you is the other half of staying private online.