How-to

How to Create a Strong Password You'll Actually Remember

By Leo Martin · · 8 min read

Good news: strong and memorable are not enemies. The secret is to stop thinking in fiddly characters and start thinking in random words. A passphrase of four or five unrelated words is long enough to be genuinely strong, yet vivid enough to stick in your head. Here's exactly how to build one — and why it beats the "complex" passwords most of us were taught to make.

Why "complex" passwords are so hard to recall

The traditional advice — mix upper and lower case, throw in numbers and symbols — produces passwords that are awkward for humans and not actually that strong for their length. We respond by leaning on tricks: a favourite word with predictable substitutions, a capital at the front, a number on the end. Those tricks are exactly what cracking tools expect, as I explain in how hackers actually guess your passwords. So you get the worst of both worlds: hard to remember and easier to crack than it looks.

The passphrase: long, strong and sticky

A passphrase flips the problem. Instead of squeezing strength into a few tortured characters, you get it from length — several random words strung together. Picture four words chosen at random, like an object, an animal, a colour and a verb. Because the words are unrelated, your brain turns them into a tiny, memorable scene. And because the whole thing is long, the number of possible combinations is enormous, which is what makes it hard to crack.

The crucial word is random. A passphrase only works if the words are picked unpredictably. A meaningful sentence you might actually say — a song lyric, a famous quote, your motto — is far weaker, because predictable phrases are exactly what attackers feed into their tools. Randomly chosen words have no such pattern to exploit.

How to pick truly random words

The honest answer is that humans are bad at being random — we drift toward words we like. The reliable way is to let something neutral do the choosing for you. You can use physical dice with a word list, or simply let our password generator assemble random output for you. The point is to remove your own bias, so the result isn't quietly predictable.

Making a passphrase stronger (without making it unmemorable)

A few light touches add strength while keeping a passphrase friendly:

  • Add a word. The simplest upgrade is length. Five random words is meaningfully stronger than four, and barely harder to remember.
  • Drop in a number or symbol between words if a site demands them — but keep it somewhere you'll remember, and don't rely on it for your strength. The words are doing the heavy lifting.
  • Keep capitalisation simple. A single capital somewhere is fine; don't tie yourself in knots. Length matters more than a scattering of capitals.

Want to see the effect? Type a candidate passphrase into our password analyser and watch the strength estimate. Then add a word and watch it jump. It's a satisfying way to feel why length wins.

The honest truth: you can't memorise dozens of these

A passphrase is brilliant for the one or two passwords you truly must recall from memory — chiefly the master password that unlocks your password manager, and perhaps your main device login. But you should not try to memorise a unique passphrase for every account you own. That way lies reuse, and reuse is the habit that gets people hurt, as the worst-passwords lessons make clear.

So here's the strategy I actually recommend:

  • Memorise one strong passphrase for your password manager. This is the only password you need to keep in your head.
  • Let the manager generate and store everything else — long, random, unique passwords for each site that you never have to remember at all.
  • Turn on two-factor authentication on the manager and your most important accounts.

This gives you the best of both worlds: one memorable key you control, and a vault full of uncrackable passwords you never have to think about. Memorability where you need it, randomness everywhere else.

A quick recap

Strong and memorable live happily together when you build passwords from random words rather than tortured characters. Make your master passphrase four or five random words long, let a tool do the random choosing so your own bias doesn't sneak in, and lean on a password manager for everything beyond that one phrase. You'll end up safer and less frustrated — which is the whole point.

Build yours now: generate random words or a long password with our free in-browser generator, then check its strength in the analyser.

Frequently asked questions

What is a passphrase?

A passphrase is a password made of several words rather than a short jumble of characters. When the words are chosen at random, a handful of them creates a long, strong password that's surprisingly easy to picture and recall.

How many words should a passphrase have?

For important accounts, aim for at least four or five randomly chosen words. More words means more length and more strength. The words should be random rather than a meaningful phrase you might say aloud.

Are letter-for-number substitutions a good way to remember a password?

Not really. Swaps like a to @ or e to 3 are predictable and built into cracking tools, so they add little strength. A passphrase of random words is both stronger and easier to remember.

Do I need to memorise a password for every account?

No. The best approach is to memorise one strong passphrase for your password manager, then let it generate and store unique passwords for everything else. You only need to remember the one.

This article is general security education, not professional advice.