The standard password advice — mix uppercase, lowercase, numbers, and symbols — produces passwords that are simultaneously hard to remember and easier to crack than most people realize. Here’s what the research actually says about strong passwords, and the approaches that give you genuine security without requiring you to memorize a string of random characters.

What Actually Makes a Password Strong

Password strength is fundamentally about the size of the search space an attacker must cover. Two factors dominate:

• Length — Every additional character multiplies the number of possible combinations. A 16-character password is vastly stronger than an 8-character one, even with identical character sets.
• Unpredictability — A password must not follow patterns that attackers know to try: dictionary words, keyboard walks (qwerty, 1234), predictable substitutions (@ for a, 3 for e), or common structures (Capital letter + word + number + symbol).

The NIST (National Institute of Standards and Technology) guidelines updated in 2017 specifically moved away from mandatory complexity rules toward length-based standards — because research showed that complexity requirements mostly produced predictable patterns (P@ssw0rd!) rather than genuinely unpredictable passwords.

The Passphrase Method

A passphrase is a sequence of random, unrelated words. The classic example is from the XKCD comic: “correct horse battery staple.” Four random words gives you roughly 44 bits of entropy — stronger than most 8-character complex passwords. Five or six random words produces a password that would take centuries to brute-force even with modern GPU clusters.

The key word is random. Phrases from books, song lyrics, or movie quotes are poor choices because attackers use these in dictionary attacks. Use a random word generator (EFF’s diceware list is excellent) to generate truly random words, not phrases you think of yourself.

The Password Manager Method (Recommended)

The strongest approach is to stop trying to memorize passwords for individual sites at all. A password manager generates and stores a unique, truly random password for every site (something like: K#7mP9xQ2nB$wL4v). You only memorize one strong master password. This eliminates the password reuse problem that causes most account compromises.

Bitwarden is free, open-source, and well-audited. 1Password is popular for its interface. Both generate genuinely random passwords that no human pattern-based approach can match.

For Passwords You Must Memorize

Some passwords genuinely need to be memorized: your master password manager password, your email account password, your device unlock PIN. For these:

1. Use a 6-word diceware passphrase minimum
2. Add a memorable personal modifier only you’d think of (not in the passphrase, added after)
3. Rehearse it — type it 5 times when you first create it, then again the next day
4. Never write the exact password down, but writing a hint is acceptable for physical storage

Testing Your Password Strategy

Rather than entering an actual password into any online tool (never do this), you can evaluate your strategy — length, character variety, pattern type — using the Password Strength Test. It gives you crack time estimates across four attack methods and specific recommendations for your use case without you ever entering your real password.

Common Mistakes That Undermine Strong Passwords

• Reusing a strong password — A brilliant password used on 10 sites is only as safe as the weakest site’s security practices.
• Predictable modification patterns — Adding “1!” to an old password when forced to change it is one of the first patterns attackers try.
• Using the same base password with variations — “Correcthorse1”, “Correcthorse2”, “Correcthorse3” are trivially enumerable once one is known.
• Short passwords with high complexity — “P@5!” has higher complexity than “correcthorsebatterystaple” but is infinitely weaker.