How to Create a Strong Password That You Will Actually Remember

The most common passwords in the world are still "123456" and "password." The third most common is "123456789." These are followed by things like "qwerty," "abc123," and combinations of names and birth years. None of these take more than a fraction of a second to crack.

The second group of weak passwords is more interesting because they feel secure. Passwords like "Summer2024!" or "Liverpool1990!" or "MyDog$Rufus." They have uppercase letters. They have numbers. They have symbols. They technically pass the complexity requirements on most websites. And they are still cracked in minutes by modern tools, because they follow predictable patterns that attackers know about.

Understanding what actually makes a password secure, not just what looks secure, changes how you think about this problem.

What attackers actually do

Most password attacks are not someone at a keyboard guessing. They are automated tools running on powerful hardware, testing millions of combinations per second. The tools start with the most common passwords, then move to dictionary words in various languages, then to dictionary words with common substitutions (replacing letters with numbers or symbols), then to combinations of words, then to fully random strings.

The other major source of compromised passwords is data breaches. When a website's database is stolen and the password list gets published online, those passwords are immediately tested against every other major website and service. If you use the same password on multiple sites, one breach compromises everything.

This is called credential stuffing, and it is by far the most common way that accounts get taken over. Not clever hacking. Just taking a list of known username and password combinations and trying them on other services.

What actually makes a password strong

Length is the single biggest factor. Every additional character multiplies the number of possible combinations exponentially. An 8-character password using letters, numbers, and symbols has around 200 billion possible combinations. That sounds like a lot, but modern hardware can test billions of combinations per second. An 8-character password can be cracked in minutes.

A 16-character random password has more possible combinations than there are atoms in the observable universe. Even with every computer on earth working together, cracking it by brute force is not feasible in any reasonable timeframe.

Randomness is the second critical factor. A 16-character password based on a real word or a predictable pattern is far weaker than a 16-character truly random string, because attackers know about the patterns and test them first. "CorrectHorse2024!" might be 17 characters but it follows patterns that make it much easier to crack than a random 12-character string.

Uniqueness per account means that if one password leaks in a breach, nothing else is affected. This is the rule most people ignore because it requires managing many different passwords. A password manager solves this.

Passphrases vs passwords

A passphrase is four or more random words strung together: "correct horse battery staple" (a famous example from an XKCD comic). It is longer and therefore stronger than most passwords, but also much easier to remember because human memory handles words better than random characters.

A 25-character passphrase made of four random words is stronger than a 10-character random string and far easier to remember. The key word is random. "I love my dog" is not a good passphrase because it is predictable. "Marble Tuesday Cliff Sodium" is much better because there is no logical connection between the words.

OnlineToolsPlus has a Passphrase Generator that creates random word combinations. Use it if you need a password you will actually type from memory regularly, like your computer login or password manager master password.

Password managers

The reason most people reuse passwords is that remembering dozens of unique complex passwords is not realistic. Password managers solve this by storing all your passwords securely and filling them in automatically. You only need to remember one strong master password.

Bitwarden is free and open source. 1Password is excellent and costs a few dollars a month. Your browser has a built-in password manager that works reasonably well for most people. Any of these is better than reusing passwords.

With a password manager, you can have a completely unique, fully random 20-character password for every single account without remembering any of them. This is the correct way to handle passwords.

How to generate a strong password with OnlineToolsPlus

Open the Password Generator below.
Set the length to 16 characters or more. For accounts that allow it, 20 or 24 is better.
Enable all character types: uppercase letters, lowercase letters, numbers, and symbols.
Click Generate. Get a few options and pick one.
Copy it into your password manager.

Everything happens in your browser. No passwords are sent anywhere or logged.

💡 Change your most important account passwords first: email, banking, and anything connected to payment methods. These are the highest value targets and should have unique, strong passwords even if you use simpler ones elsewhere.

Generate strong passwords for your accounts right now. Free, instant, private.

Why password managers change everything

The argument against complex passwords has always been that they are impossible to remember. This argument collapses once you use a password manager. A password manager remembers your passwords so you do not have to, which means the complexity and uniqueness of each password is no longer limited by human memory. You can have a different 20-character random password for every site you use, and you only need to remember one master password to access them all.

The master password for your password manager is the one password worth memorizing carefully. Make it long, memorable and unlike anything you have used before. A short phrase of four or five unrelated words works well. Something like "correct horse battery staple" is famous as an example of a secure memorable password because it is long, random in its combination and easy to recall once you have it.

What makes a password hard to crack

Password cracking works by systematically trying possibilities. Simple attacks try common passwords and dictionary words. More sophisticated attacks try every combination of characters up to a certain length. The time required to crack a password grows exponentially with its length, which is why length matters more than complexity.

An eight-character password using only lowercase letters has about 200 billion possible combinations, which a modern computer can work through in minutes. The same password with a mix of uppercase, lowercase, numbers and symbols has about 7 trillion combinations, which takes longer but is still crackable. A 16-character lowercase password has 43 quadrillion combinations, which takes years to brute-force even with fast hardware.

The practical implication is that length beats complexity. A 16-character lowercase password is more secure than an 8-character password with every character type. Aiming for at least 12 characters and including a mix of character types covers both dimensions without requiring passwords that are difficult to type when needed.

Passwords you should change now

Reused passwords are the most urgent problem for most people. If you use the same password on multiple sites and one of those sites has a data breach, every account sharing that password is immediately compromised. Data breaches happen constantly at companies of all sizes, and the leaked password databases are used to attack other services automatically within hours of a breach becoming public.

Short passwords, passwords that are words or names, passwords based on dates and passwords that follow predictable patterns like capitalizing the first letter and adding numbers at the end are all vulnerable to the same dictionary and pattern attacks. If your password is any of these, it should be replaced with a generated random password stored in a password manager.

Two-factor authentication adds a second verification step beyond the password that significantly increases account security. Even a compromised password cannot give access to an account protected by two-factor authentication without also having access to the second factor, typically a code generated by an app or sent by text message. Enabling two-factor authentication on high-value accounts is more impactful for security than having a perfect password without it.