How to Create Strong Passwords You'll Actually Remember

The typical "strong password" advice is useless in practice: use 16 random characters, never reuse, change every 90 days, memorise all of them. No human does this. So people write Summer2024! on a sticky note and call it a day. This guide shows you a different approach — patterns that are genuinely strong and memorable, backed by what NIST actually recommends, plus how to offload the rest to a generator without losing control.

#Why "strong" usually means "unmemorable"

Most password rules were designed in the 1990s, when CPUs were slow and GPUs didn't crack hashes. The assumption was that an 8-character password with mixed case and a symbol would take years to brute-force. That hasn't been true since around 2015.

Modern GPU rigs can try billions of password hashes per second. What used to take years takes hours. But the response — forcing users to add more complexity — has backfired. When forced to include a symbol, roughly 80% of users just append ! or 1 to a predictable base word. Attackers know this, and their dictionaries know it too.

#The two ways passwords actually get cracked

There are really only two attacks you need to defend against:

1. Offline brute force — attacker has stolen a password hash (from a breach) and is trying every combination on their own hardware. Defence: length and randomness.
2. Online credential stuffing — attacker tries leaked passwords from other sites against your account. Defence: uniqueness per site.

Everything else — phishing, keyloggers, shoulder surfing — isn't solved by making your password stronger. It's solved by 2FA and good hygiene. So when we talk about "strong passwords," we're really talking about resisting those two attacks.

#Why complexity rules don't help

The updated NIST SP 800-63B guidelines explicitly recommend against composition rules like "must contain an uppercase letter, a number, and a symbol." Why? Because they don't meaningfully increase entropy in practice. Users cope with them by applying predictable transformations, and attackers bake those transformations right into their wordlists.

NIST now says: encourage length (at least 8, ideally much more), check against known breached passwords, and drop the silly rules.

#What makes a password genuinely strong

#Length beats complexity

Every character you add to a password roughly multiplies the search space by the size of the character set. For a 95-character keyboard:

• 8 chars → 95⁸ ≈ 6.6 × 10¹⁵ combinations (crackable in hours)
• 12 chars → 95¹² ≈ 5.4 × 10²³ (crackable in decades by a nation-state)
• 16 chars → 95¹⁶ ≈ 4.4 × 10³¹ (not crackable in your lifetime)

Doubling length is equivalent to squaring the search space. Adding a symbol to a short password adds almost nothing by comparison.

#Entropy in plain English

Entropy, measured in bits, is the number of guesses an attacker needs on average to find your password. Each bit doubles the work.

Here's the quick math in Python:

import math

def entropy_bits(alphabet_size: int, length: int) -> float:
    """Shannon entropy of a uniformly random password."""
    return length * math.log2(alphabet_size)

# 12 lowercase letters
print(entropy_bits(26, 12))  # 56.4 bits — weak

# 12 mixed-case + digits + symbols
print(entropy_bits(95, 12))  # 78.8 bits — OK

# 4 random words from a 7,776-word list (Diceware)
print(entropy_bits(7776, 4))  # 51.7 bits — OK-ish

# 5 Diceware words
print(entropy_bits(7776, 5))  # 64.6 bits — strong

A rule of thumb: aim for 60+ bits for normal accounts, 80+ bits for anything high-value (email, banking, password manager master key).

#The four real threats, ranked

Notice that only the middle two are actually about password strength. Phishing and stuffing are solved by behaviour, not by stronger characters.

#Four patterns for memorable, strong passwords

You need to actually remember a handful of passwords — your device, your manager, your main email. These patterns give you strong passwords that stick.

#Pattern 1: The four-word passphrase (Diceware)

Popularised by XKCD #936, Diceware asks you to pick words by rolling physical dice against a 7,776-word list. Four words ≈ 51 bits of entropy; five ≈ 64.

Example: truss-narrate-oxide-kidney-raven

It's five random, pronounceable English words. No leet-speak, no symbols. At 31 characters long, it's uncrackable by modern hardware for the foreseeable future, and most people can memorise it in under five minutes using a vivid mental image (a rusty oxide kidney strapped to a raven by a narrating truss — weird, but memorable).

The key word is random. "my favourite four words" gives you almost zero entropy because attackers have your Twitter. Use a real randomness source (dice, or a vetted generator — more below).

#Pattern 2: The sentence method

Pick a sentence you can remember — not a famous one — and turn it into a password by taking initial letters, numbers, and punctuation.

• Sentence: My cat Louis broke my 3rd espresso cup in 2023!
• Password: McLbm3ecI2023!

That's 14 characters across all four character classes. It's not as strong as a passphrase of equivalent length — the letters aren't uniformly random — but it's decent for low- to mid-value accounts and genuinely easy to recall.

Caution: don't use lyrics, quotes, or anything that could be guessed from your public profile. If it would appear in any existing text corpus, it's crackable by dictionary attack.

#Pattern 3: The keyboard-pattern base

Generate a truly random string you'll use as a root, then learn to type it as muscle memory. For example:

Xk7#pQ2mW9zL

After typing it 20 times across a week, your fingers know it. This is how people remember passwords for password managers — rote physical repetition beats conscious memorisation.

Tip: don't pick an obvious keyboard walk like qwerty123 or asdfzxcv!@#$. Attackers test thousands of keyboard patterns. Randomness is non-negotiable here.

#Pattern 4: The site-specific suffix (only for low-value accounts)

For dozens of throwaway accounts where a manager is overkill, use a strong base + a per-site transformation. This is NOT recommended for anything important — but it's better than reuse.

• Base: HurryKind-Lampshade7!
• Twitter: HurryKind-Lampshade7!Tw
• Reddit: HurryKind-Lampshade7!Re
• Your bank: use the manager, not this pattern

The weakness: if the base leaks once, the attacker can often guess the rest. That's why this pattern only belongs on accounts where a breach doesn't hurt you. Everything else goes in a manager.

#Using a generator for the 90% you don't need to remember

Here's the truth most advice dances around: you shouldn't memorise 200 passwords. You should memorise 3-5 and let a password manager store the rest — each one generated by a tool, never typed by you.

#When to memorise, when to store

#Generator settings that matter

When you use a password generator, these settings matter more than the rest:

• Length — set it to 20 or more. Every site that complains about length has a poor excuse.
• Alphabet — include symbols unless the site forbids them (some banks still do).
• Randomness source — a real generator uses crypto.getRandomValues in the browser, not Math.random(). If you can't verify this, assume the output is weak. This matters; see our explainer on why Math.random is unsafe for passwords.
• Local-only — the generator should never send bytes to a server. iKit's runs entirely client-side; you can open DevTools and confirm there's no network traffic when you generate.

Here's a minimal, secure generator you could run locally if you wanted to verify the principle:

function generatePassword(length = 20) {
  const alphabet =
    "ABCDEFGHIJKLMNOPQRSTUVWXYZ" +
    "abcdefghijklmnopqrstuvwxyz" +
    "0123456789!@#$%^&*()-_=+[]{};:,.<>?";
  const out = new Uint32Array(length);
  crypto.getRandomValues(out);
  return Array.from(out, v => alphabet[v % alphabet.length]).join("");
}

console.log(generatePassword(24));
// e.g. "rP2#m!qT9@xLzE7vH*kY1bN$"

Note the use of crypto.getRandomValues — the browser's cryptographically secure RNG. Math.random() is seeded predictably and should never be used for anything security-sensitive.

#Validating that a password meets modern rules

If you want a simple check, here's a regex that matches any string of 14+ characters containing at least three of four character classes:

const strongEnough = (pw) =>
  pw.length >= 14 &&
  [/[a-z]/, /[A-Z]/, /\d/, /[^a-zA-Z0-9]/]
    .map(r => r.test(pw))
    .filter(Boolean).length >= 3;

strongEnough("correct horse battery staple"); // true
strongEnough("Tr0ub4dor&3");                  // false (too short)

For passphrases, you can skip character-class checks entirely — length plus random word selection already gives you the entropy you need.

#Common mistakes that kill strong passwords

Even with the right patterns, small habits destroy password strength. Watch for these:

• Reusing across sites. A breach at any one site hands attackers your credentials for every site where you reused it. Use Have I Been Pwned to check if any of your passwords already leaked.
• Predictable substitutions. P@ssw0rd provides no extra security over Password. Attackers apply these substitutions automatically.
• Birthdays, names, sports teams. Anything a stranger could learn from your LinkedIn or Instagram is a dictionary entry to an attacker.
• Writing it on a sticky note by the monitor. But if you must write it down, a paper note locked in a drawer is still better than reuse. Physical attacks on your home are rarer than online attacks on a reused password.
• Storing passwords in plain text files. The file is only as secure as your disk. If you need to store them, use a real manager.
• Sharing via Slack or email. Sent messages are logged; inboxes get compromised. Use a dedicated secrets-sharing tool, or generate a fresh password the recipient rotates immediately.

#About password expiration

The old advice — change your password every 90 days — is now formally deprecated by NIST. Rotation without cause pushes users toward minor tweaks (Spring2024! → Summer2024!), which attackers expect. Change a password when there's a reason (suspected breach, device loss), not on a schedule.

#Putting it together: a 15-minute action plan

A simple rollout you can do right now:

• Generate a 5-word passphrase for your password manager. Memorise it using a vivid mental image.
• Change the passwords on your top 5 accounts (email, banking, primary socials) to 20-character generated strings, stored in the manager. Enable 2FA on each — ideally hardware key or an authenticator app, never SMS.
• Over the next month, when you log into any other site, change its password to a generated one as you go. Don't try to do all 200 in one sitting.
• Print a recovery sheet for your manager's master key and put it in a fireproof box. Paper is a surprisingly good backup against digital failures.
• Check every password against HIBP periodically — most managers do this automatically.

That's it. You end up with 3 passwords in your head (device, manager, email) and a manager full of generated 20-character strings. That's stronger than almost anyone around you, and it's genuinely sustainable.

#Related on iKit

• Verify file integrity with MD5 and SHA-256 — The same hashing primitives behind password storage are what verify a downloaded installer hasn't been tampered with.
• Generate a UUID v4 (and when not to) — When randomness has to come from a CSPRNG — same crypto.getRandomValues() that powers a strong password generator.
• Generate a QR code for your Wi-Fi password — Once your network has a strong passphrase, encode the SSID and password into a QR so guests can scan-to-connect without typing 20 characters.