How to Create a Strong Password — That You Won’t Forget

Need to create a secure password that hackers can’t guess? Use a passphrase! Make it easy to remember, yet hard to crack.

Passwords. We all hate them. And we hate ours especially. We know they’re terrible, but making them stronger seems so hard: use upper and lower cases. Numbers. Symbols. Don’t use sentences, don’t use words, yada yada yada.

So you end up with something like M@5t3Rp@$$w0rd1967.

And who can remember that?

Well, what if we told you preachy glutton legislate shorter monsoon author made for a stronger password than M@5t3Rp@$$w0rd1967?

This kind of password is called a passphrase: a random collection of common words. It’s far easier to remember than “conventional passwords” — and yet far harder for hackers to crack.

Before we get into the mechanics of creating your very own passphrase, you may be wondering why this is necessary. How bad could your current passwords be?

Do I really need to change all my passwords?

Short answer: yes. If you’re like most people, odds are high that your password isn’t very good. Having an easy-to-guess password is just setting yourself up to get hacked.

How? Well, hackers have several methods:

  • Trying the most common passwords: hackers can easily find a way into accounts by trying some of the most commonly used passwords — things like 123456or the word password If you’re using one of these and haven’t been compromised yet, you might want to buy a lottery ticket because you’re one of the luckiest people in the world.
  • Brute force attacks: if your username and password get exposed in a data breach, hackers can use brute force attacks to unencrypt your data. Using a program, bad actors can cycle through all possible passwords (testing hundreds or thousands of possible options) until they come up with the right one. Even if you’ve used a combination of upper and lower case letters and special characters, modern technology can crack an 8-character password in about two hours(!).
  • Credential recycling: Once hackers or spammers have your username and password to one account, they can easily try these credentials on all your other accounts. If you’ve recycled your credentials (i.e., used that same username and password elsewhere) then suddenly these bad actors have the keys to the castle — access to all of your accountsthat share those credentials.

So, what does it take to beat the hackers? Which type of password would be considered secure? As annoying as it may be, you really do need to increase the length and complexity of your passwords, and use unique passwords for each account.

But it’s easier than you may think if you use passphrases.

What is a passphrase?

As mentioned above, a passphrase is a collection of common words combined together randomly into a phrase. Remember, an example of a passphrase is something like preachy glutton legislate shorter monsoon author.

The best passwords are ones that are 1) easy for you to remember and 2) hard for hackers to crack. Passphrases make the best passwords because they use real words that you can remember (rather than a collection of crazy symbols and letters) and they are very long, making them much harder to crack with brute force attacks or other tactics.

The only catch is that the common words in your passphrase need to be truly random in order to be a secure password.

Luckily, we’ve got a method for that. All you need are a few minutes and some dice…

How do I make a passphrase?

Making a passphrase can be simple but humans are notoriously bad at creating true randomness. We love patterns too much and all our words have meaning, so it makes it doubly hard for us to generate random passphrases.

Use a random passphrase generator online, or randomly select pages and entries in a dictionary. There’s even a passphrase generator online that uses dice to pick random words (Diceware).

Feel free to add symbols, capitals, or numbers into the mix if you like. This will increase the strength of the passphrase, and most services require special symbols.

Be careful about these two rare occurrences:

  • You end up with so many short words you have less than 17 characters.
  • You actually end up with some sort of sentence.

In both those cases, start over.

Remember, with this method, you’re trying to make it random. So don’t fudge the results because you think two words look good together. You’d be creating patterns (and weakening the strength of your passphrase.)

Write down your passphrase on a piece of paper until you’ve memorized it. It should sink in after a few uses. If you’re having trouble, create a story to make it easier to remember.

For example: The preachy glutton would legislate for a shorter monsoon season, the author said.

This is what memory masters do. Once you have it down, destroy the paper.


So can I use this passphrase everywhere?

No, you really shouldn’t.

Repeating passwords or passphrases for different services is among the worst security practices out there. As mentioned above, if one account gets hacked, they all get hacked.

Ideally, you would use a passphrase as the master password for a password manager. The manager can then create long, random passwords for each of your accounts, and keep track of it all for you. (No more puzzling over good password ideas — the program takes care of all that for you!) There are plenty of free or affordable password managers out there now, so there’s really no reason not to give one a try.

If you don’t want to use a password manager, then there are a couple of additional steps you should take:

  1. Create a passphrase for your most critical accounts, then add modifiers

These can be simple short-hand for the service or the full name. Using the example above, you could end up with:

G@G1 preachy glutton legislate shorter monsoon author Or

preachy glutton legislate shorter monsoon author Facebook1@

  1. Create a second passphrase for all the throwaway accounts

But even managing two passphrases can be a bit of a chore, so we’d really recommend a password manager.


Strong passwords: roundup

There are only two essential requirements for a strong password:

  • It should be long: Really long. 17 characters should be the minimum. For some future-proofing, making it at 20+ characters is better.
  • It should be random: Hackers are excellent at recognizing patterns and programming their tools to look for them.

That’s it.

So back to our original example, M@$t3Rp@$$w0rd1967. It may seem like a strong password, and many password checkers will tell you so. But it wouldn’t stand a chance against today’s hackers because it actually has a very simple structure: two words + a date.

Not only are the two words very common (“master” and “password”), they commonly go together. The substitutions taking place are predictable and so also easy to crack: A looks like @, S looks like $, and so on. And when people add numbers to their passwords, they often do it at the end and use a PIN or date – often of their birth.

Hackers know all these tricks and usually, try them first. And they use machines to do it.

How to increase your security even further

After creating your brand-new passphrase, you may be wondering if there’s anything else you can do to protect your accounts. And yes, in fact, there is!

Even if you have the best password in the entire world, you can still up your security even further by using two-factor identification, which requires a second means of verifying who you are other than your password.

Two-factor identification usually uses one of three things:

  1. Something you know: this could be a PIN code or something else, like the answers to your security questions.
  2. Something you have: for example, your phone (which can receive an authentication code via SMS), or your physical credit card (which you can verify using the CVV code on the back).
  3. Something you are:biometric data, such as your fingerprint.

It might seem complicated at first, but if you’re like most people, you’ve already been using two-factor identification for a long time. For example, any time you take money out of an ATM, you’re combining something you have (your debit card) with something you know (your PIN).

Similarly, you can enable two-factor authentication on most of your online accounts: your email provider, social media accounts, and (especially!) your online banking should all offer two-factor identification.

Green Country uses security phrases that you set in advance online (that are different from your username and password) and also encourages you to add a Face or Fingerprint scan on your mobile device.

Armed with your easy-to-remember passphrase, a password manager, and two-factor authentication, you’ll be more secure than a Swiss vault.