How to Create a Strong Password — and Actually Remember It
Every week, millions of passwords are exposed in data breaches. Most of them are embarrassingly easy to crack — "123456", "password", and "qwerty" still rank among the most commonly used credentials in the world. Yet creating a genuinely strong password is not difficult once you understand what actually makes one secure.
What Makes a Password Strong?
Security researchers measure password strength in terms of entropy — essentially how many guesses an attacker would need to crack it. Two factors drive entropy more than anything else:
- Length: Every extra character multiplies the number of possible combinations exponentially.
- Unpredictability: Characters that are genuinely random rather than following a pattern (like swapping 'E' for '3') are far harder to guess.
A 20-character random password is orders of magnitude stronger than an 8-character one, even if the shorter one uses special characters. Length wins.
The Four Rules of a Strong Password
1. Make it at least 16 characters long
Modern cracking hardware can test billions of passwords per second. An 8-character password — even with symbols — can be brute-forced in minutes. Sixteen characters or more puts you well out of reach of automated attacks.
2. Mix character types
Use a combination of uppercase letters, lowercase letters, numbers and symbols. However, do not rely on predictable substitutions — "P@ssw0rd" is well known to cracking dictionaries and offers almost no security benefit over "Password".
3. Never reuse passwords
If one site is breached and you reuse passwords, attackers will try your credentials on every other service you use — a technique called credential stuffing. Each account must have a unique password.
4. Make it random, not personal
Passwords based on your name, birthday, pet, or favourite sports team are weak because this information is often publicly available or easily guessed. True randomness is key.
The Passphrase Method
If you struggle to remember random strings, passphrases are an excellent alternative. A passphrase is a sequence of four or more unrelated words — for example correct-horse-battery-staple. This approach works because:
- It is long (each word adds significant entropy)
- It is genuinely random (the words are unrelated)
- It is memorable — the mental image of a horse with a staple makes it stick
A good passphrase of five random words is stronger than most 12-character passwords with symbols.
🔐 Try it now: Use Toolify's Password Generator to create a cryptographically random password instantly, or check an existing one with the Password Strength Checker.
Use a Password Manager
The honest truth is that no human can memorise dozens of unique, 20-character random passwords. A password manager solves this elegantly — you remember one strong master password, and it handles the rest. Popular options include Bitwarden (free and open-source), 1Password, and Dashlane.
Common Mistakes to Avoid
- Using the same password across multiple sites
- Storing passwords in a plain text file or spreadsheet
- Sharing passwords over email or messaging apps
- Relying on security questions (their answers are often guessable)
- Using passwords shorter than 12 characters for important accounts
Enable Two-Factor Authentication
Even the strongest password can be compromised through phishing or a breach you have no control over. Two-factor authentication (2FA) adds a second layer of protection — typically a code from an app like Google Authenticator. Enable it on every account that offers it, especially email and banking.
Summary
- Use passwords of at least 16 characters
- Mix character types, but avoid predictable substitutions
- Never reuse a password across accounts
- Consider passphrases for memorable-yet-strong credentials
- Use a password manager so you only need to remember one
- Enable 2FA wherever possible