How to create strong passwords you can remember

Online account breaches make the headlines daily. Part of the reason is that impervious digital security mechanisms don’t exist – that is, they’re unbreakable until they’re broken into. And, as users, we have very little control over that. The other part of the reason is under user control: bad password etiquette.

People tend to use weak passwords so they can remember them, and they often reuse the same passwords for multiple sites or services, which makes matters worse. If you reuse the same passwords on multiple sites and that password is compromised, all the sites for which you used that password are compromised as well. In this post, we look at different ways you can create secure passwords that you can remember.

Let’s start.

Create strong passwords with password managers

Using a password manager should be at the top of any “secure password” cheat sheet. It’s the easiest way to create secure passwords, which will be very easy to remember because you don’t need to remember them at all – the password manager takes care of that for you.

A password manager is a tool that generates strong passwords for you and stores them in a database. That database is typically protected by a master password, which is the only one you need to remember. After that, whenever you need to log into a site or service, you launch your password manager, input your master password, and copy your secure password from the database.

This approach has several benefits:

  • As stated, a password manager creates complex passwords and stores them for you.
  • Using a different password for each site or service is trivial because you don’t need to remember them.
  • While you can choose to keep your password database offline and entirely under your control, many password managers (most) offer a cloud feature where your password database is uploaded to the cloud (end-to-end encrypted, of course), allowing you to sync your passwords across devices.
  • Many password managers have an autofill feature that automatically populates username and password fields with your credentials, saving you the hassle of manually entering each one.
  • Tied to the above: a password manager’s autofill feature is usually tied to a URL. That may not seem like much at first glance, but it’s actually a security feature that can protect you from phishing scams. If you were redirected to a fake site under an attacker’s control, your username and password would not autofill because the scam URL would be different from the one associated with your credentials.

There are several options available, including 1Password, Dashlane, and LastPass. There are also some excellent open-source options, like Bitwarden.

These tools are designed to work seamlessly across all your devices and easily integrate with popular web browsers like Chrome, Edge, Firefox, and Safari, ensuring your passwords are synchronized wherever you go. If you prefer to maintain complete control over your passwords, Bitwarden has self-hosting options.

Many password managers provide security dashboards that alert you to any breached passwords or those that may need updating. Some even have automated password changers that automatically change your passwords at determined intervals. If you’re serious about password security but still want to keep things as simple as possible, using a password manager is going to be right up your alley. You can read more about the safety of password managers here.

Generating strong passwords manually

Some people prefer to generate their own passwords and not have to rely on third-party software. And there’s nothing wrong with that, per se. But you do have to keep certain things in mind if you want your manual passwords to be as secure as possible.

In this section, we’ll provide an overview of what we’re calling “classic password” guidance while offering tips on making them easier to remember. After that, we’ll discuss the “passphrase” method of creating strong passwords.

Classic password guidance

These are password tips you’re very likely to have heard before – and, hopefully, many of your current passwords include most of the following recommendations for “long and complex” passwords.

  • Length: You want to create a password that’s long enough to accommodate complexity. A 4-character password will be much easier to guess than a 12-character password – the longer, the better. Of course, you’re going to need to remember it, so something between 12 and 16 characters will be the sweet spot.
  • Character selection: You want all your passwords to include numbers, special characters/symbols, and both capital and lowercase letters. And mix it up a fair amount to make your passwords as difficult to guess as possible. That precludes any passwords of the type fido123 or bday1006. You want something like H4&fTpl0H%dr5.
  • Unintelligibility: You want to stay away from the obvious when creating your passwords. Steer clear of intuitive substitutions, like using 0 (zero) instead of an O (the letter o) – H0rse isn’t a strong password despite cleverly substituting the o with a 0. Neither is DarkH0rse#333, even though it fulfills the above requirements of length and character selection. Two capitalized dictionary words with all the numbers at the end are not the way to go. Again, you want the end result to look something like this: H4&fTpl0H%dr5.

Wondering if your password is secure enough? Check out our password strength test tool.

Comparitech Password Strength tool

Creating complex passwords that are easy to remember

You want your passwords to be a seemingly random sequence of letters (upper and lowercase), numbers, and special characters. But human memory is notoriously bad with randomness. Our memories are better at remembering strings that follow a pattern than random strings.

But secure passwords need effective randomness. So, how are you supposed to remember H4&fTpl0H%dr5? And how are you supposed to remember multiple different passwords of that complexity? Well, it turns out that there’s an easy trick for that: Using the first letter of each word from a few sentences. An example will make everything instantly clear.

Take the following sentence: John’s rent represents less than 53% of his salary. At just $843, it’s a steal!

By taking the first letter of each word along with the special characters in those two sentences, we can create the following strong password: Jrrlt53%ohsAj$843ias!

That’s a very complex 21-character password, and you don’t need to remember that string of characters; you need to remember the much more significant and easy-to-remember sentences that spawned that password: John’s rent represents less than 53% of his salary. At just $843, it’s a steal!

You’ll want to write those down, at least in the beginning. But you’ll be surprised at how quickly your mind will commit them to memory.

The passphrase method

There’s another way to create secure passwords that are easy to remember – and it doesn’t involve using a jumble of characters as your password. It does the opposite. The passphrase method was highlighted by a now-iconic XKCD comic many years ago.

As described in the comic, the passphrase method involves stringing together four or more random words to create your passphrase and using it as your password. The passphrase’s strength comes from its length and the randomness of the included words.

That randomness is key. If you create a passphrase using words that make sense together, like ‘plants need sunlight to grow,’ then you end up with a very weak password because the words make sense together, grammatically, semantically, and logically. Password-cracking tools would easily break that password. But if we take the comic’s example of ‘correct horse battery staple,’ because those words don’t make any real sense, password-cracking tools will have a much harder time breaking into your accounts.

Using Diceware

I mentioned above that humans are bad at randomness. We’re bad at remembering random strings and equally as bad at generating random strings (of words and characters). As human beings, we’re obsessed with patterns, to the point that we can see patterns even when there are none. Like perceiving a dolphin from a cloud formation: the pattern is in your mind, not the clouds. That’s called pareidolia.

Because of that, we developed diceware. Diceware is a method for creating passphrases that bypass the human mind’s need for significance. It uses wordlists (containing thousands upon thousands of words) and dice to create the passphrases. It works as follows:

Let’s say our word list assigns a five-digit number to each word, and we want a six-word passphrase the recommended passphrase length today). So, we will use five dice and repeat the process six times (once for each word in our passphrase).

  1. Roll your five dice. Let’s assume the result of the dice roll is 3 – 5 – 1 – 2 – 3 – 6.
  2. Refer to your word list to find the number 351236, which corresponds to the word ‘hedging.’ That’s the first word in your passphrase.
  3. Repeat that process five more times (or more for a longer passphrase).
  4. You’ll end up with something like ‘hedging espresso backlands unnatural obtain delegate,’ which is a very strong password.

You can find some English diceware word lists on the EFF’s website.

Wrapping up on passwords

So, those are your options for creating and remembering strong and unique passwords. Whether you use a password manager or not, following the advice in this post will help protect your accounts with secure passwords.

To keep your accounts safe, you’ll need more than just strong passwords. Remember to keep them unique (i.e., don’t reuse the same password on multiple accounts). And I highly recommend enabling two-factor authentication (2FA) on all accounts that support it. That way, you’ll still have some measure of protection even if your password is compromised.

As always, stay safe.