How to create a strong password that you can actually remember

Most people create weak passwords for the same reason: they need to remember them. So they use a pet's name, a birthday, or the word "password" with a number stuck on the end. The result is a password that takes a computer less than a second to crack. The good news is that strong passwords and memorable passwords are not mutually exclusive — if you understand what actually makes a password secure.

What actually makes a password strong?

The strength of a password comes down to two things: length and unpredictability. Length is the bigger factor. Every character you add to a password multiplies the number of possible combinations an attacker must try. A 6-character password using only lowercase letters has around 300 million combinations. A 12-character password using the same character set has over 95 trillion.

Password Length	Character Set	Possible Combinations	Time to Crack (fast computer)
6 characters	Lowercase only	~309 million	Instant
8 characters	Lower + upper + numbers	~218 trillion	~1 hour
12 characters	Lower + upper + numbers	~3.2 quadrillion	~200 years
16 characters	All character types	Astronomical	Millions of years

The rule: Aim for at least 12 characters. 16 or more is ideal for accounts that matter — email, banking, social media.

How SmartiTools rates password strength

Weak — short or only one character type

Fair — 8+ characters, 1–2 character types

Good — 8+ characters, 3–4 character types

Strong — 12+ characters, 3–4 character types

Why complexity rules are often wrong

You have probably seen password rules like "must include a capital letter, a number, and a special character." These rules feel rigorous, but they often produce weaker passwords than you might expect. When people are forced to add complexity, they do so in predictable ways: Password1! satisfies most complexity rules but is trivially crackable because it follows a pattern everyone knows.

Unpredictability matters more than ticking boxes. A long, random string of lowercase letters — say, giraffe-mango-river-cloud — is far stronger than P@ssw0rd despite having no special characters or uppercase letters, because its length and randomness make it exponentially harder to guess.

The passphrase method — strong and memorable

A passphrase is a sequence of random words strung together. It is one of the best strategies for creating a password you can actually remember without sacrificing security. The key word is random — do not pick words that relate to each other or to you personally.

Bad: MyDogFidoIsCute2024 (personal, predictable pattern)
Good: correct-horse-battery-staple (four random, unrelated words)
Better: purple-lamp-seven-october-fence (five random words with a number word)

Four random words give you roughly the same security as a 10-character random password with full complexity. Five words are stronger than almost anything a human could comfortably memorise in the traditional sense.

Tip: Use a dice or a random word generator to pick your words. If you choose them yourself, your brain will unconsciously gravitate toward familiar or meaningful words — which are exactly the ones attackers try first.

What makes a password weak

Attackers do not try every possible combination from scratch. They use dictionaries of the most common passwords, names, words, and known patterns. Your password is weak if it appears in any of these lists:

Common passwords: 123456, password, qwerty, letmein
Names: your name, family names, pet names
Dictionary words with simple substitutions: p@ssw0rd, s3cur1ty
Keyboard walks: qwerty, asdfgh, 1q2w3e
Dates: birthdays, anniversaries, graduation years
Anything from your social media — attackers research their targets

Never reuse passwords. If one account is breached (and it will be — data breaches are routine), attackers automatically try your leaked credentials on every other major site. One reused password can cascade into a complete account takeover across email, banking, and social media.

How to manage passwords you can't remember

The passphrase method works well for a handful of important accounts. But most people have dozens or hundreds of accounts — remembering a unique, strong password for each one is impossible. This is where a password manager comes in.

A password manager stores all your passwords in an encrypted vault, protected by one master password (or passphrase). You only need to remember that one master password. The manager generates and fills in long, random, unique passwords for every other account automatically.

With a password manager, every one of your accounts can have a 20-character random password that you never have to think about. This is the single highest-impact change most people can make to their online security.

When to use a random generator

For accounts that you access via a password manager — which should be most of them — use a random password generator rather than creating passwords yourself. A generator using a cryptographically secure random source produces passwords with no patterns, no predictability, and no human bias. The passwords are not designed to be memorised; they are designed to be stored securely and retrieved automatically.

Reserve memorable passphrases for the things you truly need to type by hand: your device login, your password manager master password, and perhaps your email account.

Quick checklist for a secure password:

At least 12 characters (16+ for important accounts)
No personal information
No dictionary words unless it is a multi-word passphrase
Unique — not used on any other site
Stored in a password manager, not written on a sticky note

Generate a strong password now

Use our free password generator to create secure, random passwords in seconds. Adjust the length and character types to match any site's requirements.

Open Password Generator