
2026-07-11
How to Create a Strong Password You Can Actually Remember
The two proven ways to make a strong password: a truly random generated password stored in a manager, or a 4-5 word passphrase for the few passwords you must memorise. Here's exactly how to do both.
There are only two kinds of strong password worth using in 2026: a long random password that a machine generates and a password manager remembers, or a passphrase of 4–5 random words for the handful of passwords your own brain must hold. Everything else — pet names with numbers, keyboard patterns, Summer2026! — is weak, no matter how clever it feels.
This guide shows you exactly how to build both kinds, and which one to use where.
Rule zero: one password, one account
Before strength comes uniqueness. The most common way accounts get hijacked isn't cracking — it's credential stuffing: a password leaks from one website, and attackers try the same email + password on hundreds of others. A strong password reused everywhere is a weak password. You can check whether any of your passwords have already appeared in known breaches with our Password Leak Checker — it uses k-anonymity, so your password never leaves your browser.
Method 1: The generated password (for 95% of your accounts)
For any account that a password manager will fill in for you, the best password is one no human ever thinks up:
- Open our Password Generator.
- Set the length to 16 or more characters, with all character types on.
- Generate, and save it straight into your password manager.
Why 16+? Each extra character multiplies the cracking effort by ~94×. Sixteen truly random characters (~105 bits of entropy) is beyond any realistic brute-force attack — the full arithmetic is in our password strength math explainer.
The key word is random. Humans are terrible at randomness: we pick dictionary words, birthdays and predictable substitutions (a→@, e→3) that cracking software tries first. A generator has no habits to exploit.
Never used a password manager? Our step-by-step password manager tutorial gets you set up in 15 minutes.
Method 2: The passphrase (for passwords you must memorise)
A few passwords can't live in a manager — your master password for the manager itself, your computer login, maybe your primary email. For these, use a passphrase:
- Pick 4–5 words at random — genuinely random, not a song lyric or quote. Rolling dice against a word list (the "diceware" method) or a random word generator is ideal.
- Join them with spaces or hyphens:
stapler-orbit-mango-quilt-frost - Optionally add one number or symbol somewhere if a site demands it.
stapler-orbit-mango-quilt-frost is 31 characters long, carries ~64+ bits of entropy from word choice alone, and after typing it a few times you'll remember it for years. Compare that to P@ssw0rd123! — shorter, harder to remember, and one of the first patterns any cracking tool tries.
The catch: the words must be random. "my-dog-loves-the-beach" is a sentence, and cracking tools try common phrases and grammar patterns. Five words chosen by dice beat six words chosen by your brain.
What makes a password weak? (the patterns crackers try first)
- Any single dictionary word, even with substitutions:
Tr0ub4dor&3 - Names + years:
ahmed1998,Summer2026! - Keyboard walks:
qwerty123,1qaz2wsx - Anything you've used before, anywhere
- Anything under 12 characters, regardless of symbols
Strong password ≠ done: add 2FA
Even a perfect password can be phished. Two-factor authentication means a stolen password alone isn't enough to get in — our guide to protecting your accounts with passwords + 2FA covers setting it up on your important accounts in one sitting.
Frequently asked questions
Is it safe to use an online password generator?
It depends on the generator. Ours runs entirely in your browser using the cryptographically secure crypto.getRandomValues() API — the password is created on your device and never sent anywhere. Avoid any generator that produces passwords on a server.
How often should I change my passwords?
Modern guidance (including NIST's) says: don't change on a schedule — change immediately when there's a reason: a breach, a shared password, a device you no longer trust. Forced rotation produces weaker, patterned passwords (Password1 → Password2).
Is a 12-character password enough? Twelve truly random characters is acceptable today; 16 gives you a comfortable margin for years to come, and costs nothing extra when a manager does the remembering.
What's the single best upgrade I can make today? Install a password manager, generate a unique 16+ character password for your email account first (it's the key to resetting everything else), then work through your other accounts over a week.
Strong passwords aren't about creativity — they're about removing the human from the process. Generate the ones a manager can remember, dice-roll the few you must, and check the old ones for leaks today.