How to Create Strong Passwords You Can Actually Remember
I was helping my dad set up a new CommBank login last year and asked him what password he wanted to use. He said "Fluffy2003", the name of our old cat and the year she was born. I checked, and he was using the same password for his email, his Medicare online account, and three different shopping sites. He's not careless; he's just a normal person who hasn't been shown a better way.
The problem isn't that people don't care about security, it's that creating and remembering strong, unique passwords for dozens of accounts feels impossible. This guide will show you practical techniques that actually work in real life, including the one that finally got my dad sorted.
Why Password Strength Matters
When a hacker tries to break into an account, they don't sit at a keyboard guessing passwords one by one. They use automated tools that can test billions of combinations per second. A short, simple password can be cracked in seconds or minutes. A long, complex one could take centuries.
Here's a rough idea of how long it takes to crack different passwords using modern hardware:
6 characters, lowercase only: Instantly
8 characters, mixed case + numbers: About 1 hour
12 characters, mixed case + numbers + symbols: About 3,000 years
16+ characters, passphrase: Longer than the age of the universe
The takeaway: length is king. A longer password is almost always better than a shorter, more complex one. That's it.
The Biggest Password Mistakes
Before we talk about what to do, let's cover what not to do. These are the most common password habits that put people at risk:
Reusing passwords across multiple sites. This is the single biggest mistake. When one service gets breached (and breaches happen all the time), attackers try those stolen passwords on every other popular service. If you use the same password for your email, bank, and social media, losing one means losing them all.
Using personal information. Your birthday, pet's name, child's name, anniversary, favorite sports team, or hometown are not secure passwords. This information is often publicly available on social media, and attackers know to try it.
Simple keyboard patterns. Passwords like "qwerty," "123456," "abc123," or "asdfgh" are among the first things attackers try. Any pattern that's easy to type is easy to guess.
Adding a single number or symbol to a common word. "Password1!" is not meaningfully more secure than "password." Attackers know people do this and their tools account for it.
Writing passwords on sticky notes at your desk. Physical security matters too. A password stuck to your monitor is visible to anyone who walks by, coworkers, visitors, cleaning staff, or anyone who takes a photo of your workspace.
Method 1: The Passphrase Technique
The most memorable way to create a strong password is to use a passphrase, a series of random words strung together. This works because length matters more than complexity, and words are much easier to remember than random characters.
Here's how to create a good passphrase. Pick 4-6 random, unrelated words. The key word is random, don't use a famous quote, song lyric, or common phrase. Think of words that create a vivid mental image, which makes them easier to remember.
✅ Good passphrases:
correct-horse-battery-staple
umbrella-piano-castle-penguin-volcano
mango-bicycle-lighthouse-thunder
❌ Bad passphrases:
iloveyousomuch (common phrase)
tobe-or-not-tobe (famous quote)
john-smith-1990 (personal info)
For extra security, you can add a number or symbol between words, capitalize an unexpected letter, or deliberately misspell one word. Even without these additions, a 4-word passphrase is extremely strong.
Method 2: The Sentence Method
Take a sentence that means something to you and convert it into a password using the first letter of each word, plus some numbers and symbols.
For example: "I graduated from Lincoln High School in 2015 with my best friend!" becomes IgfLHSi2015wmbf!
This creates a 16-character password that looks random but is easy to remember if you know the sentence. The key is choosing a sentence that's personal enough to remember but not one that someone could guess from your social media.
Method 3: Use a Password Manager (Recommended)
Here's the honest truth: the best approach for most people is to use a password manager. Full stop. A password manager is an app that generates, stores, and auto-fills strong, unique passwords for every account you have. You only need to remember one master password, the password manager handles everything else. I genuinely believe that if every Australian installed a password manager tomorrow, we'd see scam losses from credential theft drop by half within a year, it's the single most impactful thing an ordinary person can do for their online security, and it baffles me that it's still not taught in schools or promoted by banks alongside their fraud warnings.
How it works: You install the password manager app on your phone and browser. When you create a new account or change a password, it generates a random, super-strong password (like "x7#kP9mQ$vR2wL8n"). It saves this password and auto-fills it when you visit that site. All your passwords are encrypted and protected by your one master password.
Good free and paid options: Bitwarden is an excellent free, open-source option. Apple's built-in Passwords app (on iPhone, iPad, Mac) works great within the Apple ecosystem. Google Password Manager is built into Chrome and Android. 1Password and Dashlane are popular paid options with extra features.
For your master password, use the passphrase technique from Method 1. This is the one password you need to make strong and memorable, since it protects all your other passwords.
🔍 Has your password been compromised?
If you suspect your credentials have been leaked in a data breach, use our Threat Intelligence Search to check if a domain or hash has been flagged.
Search Threat Database, FreeExtra Security: Two-Factor Authentication
Even the strongest password can be stolen through phishing or a data breach. That's why you should also enable two-factor authentication (2FA) on every account that supports it. With 2FA, logging in requires both your password and a second verification, usually a code sent to your phone or generated by an authenticator app. This means even if someone steals your password, they still can't access your account.
We cover 2FA in detail in our dedicated guide: What Is Two-Factor Authentication and Why You Need It.
Frequently Asked Questions
How long should a strong password be?
At least 12 characters, but 16 or more is even better. Length matters more than complexity. A 20-character passphrase is much harder to crack than a short 8-character password full of symbols.
Are password managers safe to use?
Yes. Reputable password managers encrypt your data with strong encryption that even the company can't decrypt. Using one is significantly safer than reusing passwords. Trusted options include Bitwarden (free), 1Password, and built-in browser managers.
Should I change my password regularly?
Current guidance says you don't need to change passwords on a schedule unless they've been compromised. Frequent changes lead to weaker passwords. Use strong unique passwords and change them only when a breach is reported.
What makes a password easy to crack?
Short passwords (under 10 characters), common words, personal information, simple keyboard patterns, and reused passwords are all easy to crack. Automated tools test billions of combinations per second.
Here's What I'd Actually Do This Weekend
Install Bitwarden or Apple Passwords, spend an hour importing your saved passwords, and let the manager generate new ones for anything that's weak or reused. Create a strong passphrase as your master password, something like "pelican-thunder-bicycle-mango", and turn on two-factor authentication for everything important. My dad did exactly this over a Sunday arvo and hasn't had a single password issue since. It's not glamorous work, but it's the kind of boring weekend task that genuinely protects you for years. Just do it.