How to Create a Strong Password (And Actually Remember It)

The most common passwords in the world are still "123456", "password", and "qwerty". This hasn't changed meaningfully in a decade despite breach after breach making the news. The problem isn't that people don't know these passwords are weak — it's that they haven't found a system that makes strong passwords both secure and manageable.

Here's what actually makes a password strong, what the research now says about complexity requirements, and the two approaches that work in practice.

Length beats complexity every time

A 16-character password made of random lowercase letters is harder to crack than an 8-character password with uppercase, numbers, and symbols. This surprises most people, but the maths is straightforward: each additional character multiplies the number of possible combinations. An 8-character password with full complexity has fewer possible combinations than a 16-character lowercase-only password.

The US National Institute of Standards and Technology (NIST) updated its guidelines in 2024 to reflect this. They now recommend prioritising length over mandatory complexity rules — meaning you don't need to replace letters with numbers and symbols if your password is long enough. What you do need is length and randomness.

What makes a password weak

Weak passwords share predictable patterns: dictionary words, names, dates, keyboard walks (qwerty, asdfgh), and simple character substitutions (p@ssword, h3llo). Modern password cracking tools know all of these patterns and try them first. A password that feels creative — like substituting 3 for E — offers almost no additional security against automated attacks.

Reusing passwords is the most dangerous habit. When any site you've used is breached — and breaches happen constantly — attackers immediately test your email/password combination on hundreds of other services. One weak password on one forgotten account can compromise your bank, your email, and your social media simultaneously.

The passphrase approach

A passphrase is a string of random words: "correct-horse-battery-staple", "purple-cloud-nineteen-lamp". These are long (usually 25–40 characters), genuinely random if the words are chosen properly, and — crucially — much easier to remember than a string of random characters.

For the accounts you need to type manually (your computer login, for example), a passphrase is often the best option. Choose four or more genuinely random words, not a meaningful phrase. "ilovemydog" is not a passphrase. "marble-kettle-genuine-frost" is.

Using a password generator and manager

For most accounts, the best approach is a generated random password stored in a password manager. Generate a long random password (20+ characters), save it in your manager, and never think about it again. The manager fills it in automatically. You only need to remember one strong master password.

Our free password generator creates secure random passwords at whatever length and complexity you need. Generate different passwords for every account — this single habit eliminates the risk of one breach spreading to all your accounts. The few minutes it takes to set up a password manager is the single highest-return security improvement most people can make.