How to Create Strong Passwords (and Actually Remember Them)

Most people know they should use strong passwords. Most people don't, because the alternatives seem inconvenient or confusing. This guide explains what makes a password strong, why common habits leave you exposed, and a practical system you can actually stick to.

---

What makes a password strong (and what doesn't)

Password strength is about how long it would take an attacker to guess it. There are two main attack scenarios:

Online attacks — the attacker is trying passwords through a login form. These are slow because systems add delays and lock accounts after failed attempts. Even a 6-character password takes a while to crack this way. Most "your account was hacked" incidents don't use brute-force online attacks — they use credential stuffing (more on that below).

Offline attacks — the attacker has obtained a hashed copy of the password database and is trying to crack hashes on their own hardware. Modern GPUs can test billions of hashes per second. This is where weak passwords fail quickly.

The two properties that matter most:

Length beats complexity

A 20-character lowercase password is significantly stronger than an 8-character password with symbols. Here's why: each character you add multiplies the keyspace. Going from 8 to 12 characters (using lowercase + numbers only) increases the number of possible passwords by about 1.6 million times.

The old advice about substituting letters with numbers (p@ssw0rd) is effectively useless — crackers have dictionaries of these substitutions and try them automatically.

Uniqueness beats memorability

This is the point where most people's security falls apart: reusing the same password across multiple sites. When one site gets breached (it happens constantly), attackers take the leaked credentials and try them on other services. This is credential stuffing, and it succeeds because most people use the same password everywhere.

A single unique password per service is more important than how complex that password is.

---

The biggest password mistakes

Using personal information. Names of family members, pets, birthdays, and anniversary dates are all in social media profiles. They get guessed first.

Using common words or phrases. "correct horse battery staple" became famous as an example of a strong passphrase — and was then added to every cracker's wordlist. Any password that appears in guides, memes, or popular culture should be considered compromised.

Incremental updates. Changing "Password1" to "Password2" after a forced reset fools no one. Crackers try all single-character variants automatically.

Reusing passwords across sites. Already covered above, but worth repeating: this is the single most common reason accounts get compromised in 2026.

Storing passwords in plaintext. In a notes app, a spreadsheet, a sticky note — these are all visible to anyone with access to that device or file.

Using "security questions" as a second factor. Your mother's maiden name, your first car, your childhood street — these are guessable or findable. Many services let you put a random string as the security question answer; treat it like a password.

---

Two approaches that actually work

1. Use a password manager

This is the right answer for most people. A password manager stores all your passwords in an encrypted vault, lets you generate a unique random password for every site, and autofills them so you don't have to type or remember them. You only need to remember one strong master password.

Good options:

• Bitwarden — open source, free tier is excellent, cross-platform. Recommended starting point.
• 1Password — polished UI, good family sharing, paid only.
• KeePassXC — local-only, open source, no cloud sync unless you set it up yourself.

With a password manager, your per-site passwords can be 20–30 random characters (xK9#mQ2vLp7rNd3wJs5t). You'll never type or remember them — the manager handles it.

The master password for your manager needs to be both strong and memorable. The best approach here is a passphrase: four or five unrelated random words strung together, like "marble-kettle-frost-umbrella-seven". The words make it memorable; the combination makes it strong. Avoid famous phrases or song lyrics.

2. Use a passphrase system (if you must remember passwords)

Some situations require a memorable password: the master password for your manager, your device login, work systems that prevent password manager autofill.

A good passphrase is at least four genuinely random words. "random" is the key word — not words you associate with each other or with your life. The easiest way to generate them is to roll dice and use a Diceware wordlist, or use a tool like the ToolBox Password Generator which can generate passphrases.

A five-word Diceware passphrase has about 64 bits of entropy — more than enough for a master password even against offline attacks.

---

Password generator: what to look for

If you're generating passwords rather than storing them in a manager (for example, you need to create one for a new service immediately), here's what a good generator should do:

• Use a cryptographically secure random source. Browser-based tools use window.crypto.getRandomValues(), which is proper CSPRNG. Avoid any tool that generates passwords purely with Math.random().
• Never send your password to a server. A password generator should run entirely in your browser. The password should never leave your device.
• Let you control length and character set. Minimums vary by site — some don't allow symbols, some require them. A good generator lets you configure this.
• Support passphrases as well as random strings. Passphrases are better for things you'll need to type.

ToolBox Password Generator runs entirely in your browser (no server involved), uses window.crypto for randomness, and lets you toggle uppercase, lowercase, numbers, and symbols, as well as choose length.

---

What about two-factor authentication (2FA)?

Strong passwords matter. 2FA matters more.

Even a weak password is much harder to exploit if you have 2FA enabled, because the attacker also needs access to your phone or authenticator app. Enable 2FA on every account that supports it, prioritising:

1. Email (this is the master key — password resets go here)
2. Banking and financial accounts
3. Your password manager itself
4. Work accounts
5. Social media (these get targeted for account takeovers)

Use an authenticator app (Google Authenticator, Authy, Bitwarden Authenticator) rather than SMS. SMS 2FA can be bypassed via SIM-swapping attacks. App-based TOTP (time-based one-time passwords) is much more secure.

---

Practical system for getting started

If this feels overwhelming, start here:

Today:

1. Install Bitwarden (free) on your phone and browser.
2. Create a strong master passphrase (four+ random words) and set that as your Bitwarden master password.
3. Enable 2FA on Bitwarden itself.

This week: 4. Enable 2FA on your email account. 5. Enable 2FA on your bank. 6. As you log into each site, save the password in Bitwarden and generate a new unique one.

Over time: 7. When you log into a site and realise you're using a reused password, update it to a generated one. 8. Check Have I Been Pwned to see if your email appears in known data breaches.

You don't need to change everything at once. Focus on high-value accounts first (email, banking, work), then gradually migrate everything else.

---

The one-sentence summary

Use a password manager, generate a unique 20-character password for every site, and turn on app-based 2FA for your email and financial accounts — everything else is secondary.

Need to generate a strong password right now? ToolBox Password Generator runs in your browser, never sends your password anywhere, and takes five seconds.