How to Set a Strong Password You Can Actually Remember

Fact-checked by the Snapmessages editorial team

Strong password tips are not just security jargon — they are practical habits that directly determine whether your accounts stay safe or get compromised. As of May 2025, weak or reused passwords remain the leading cause of account takeovers, responsible for 81% of hacking-related data breaches according to Verizon’s Data Breach Investigations Report. Knowing how to build a password that is both secure and memorable is one of the most important digital skills you can develop.

The scale of the problem is staggering. According to the UK’s National Cyber Security Centre (NCSC), “123456” remains the most commonly used password in the world, appearing in over 23 million compromised accounts. The Federal Trade Commission (FTC) reports that identity theft and account fraud cost Americans more than $10 billion in 2023 alone, with credential theft as a primary entry point.

This guide gives you a step-by-step, evidence-backed framework for creating strong passwords you will actually remember — covering passphrase techniques, common mistakes to avoid, password manager tools, and the latest guidance from the National Institute of Standards and Technology (NIST). By the end, you will have a system, not just a single password.

What Makes a Password Truly Strong?

A strong password is one that is long, unpredictable, and unique to each account. Security researchers define strength by entropy — a measure of how many possible combinations an attacker must try. The higher the entropy, the longer a brute-force attack takes, often making it computationally infeasible.

The key variables that determine password strength are length, character variety, and randomness. A 16-character password using only lowercase letters has roughly 26^16 possible combinations. Adding uppercase letters, digits, and symbols expands that to 94^16 — an astronomically larger search space.

Length Is the Most Important Factor

Every additional character multiplies the difficulty of cracking a password exponentially, not linearly. A modern GPU-based cracking rig can test billions of password guesses per second against a stolen hash, according to SANS Institute research on password cracking. An 8-character password can fall in minutes; a 16-character random one would take centuries.

This is why the updated NIST Digital Identity Guidelines (SP 800-63B) now place length above all other password requirements. The guidance recommends allowing passwords up to 64 characters minimum and setting a floor of at least 15 characters for high-value accounts.

Randomness Beats Complexity Rules

Complexity rules — such as “must include one symbol and one capital letter” — were well-intentioned but backfired. Users predictably respond to them with patterns: “Password1!” satisfies most complexity requirements but is among the first guesses an attacker tries. True randomness, whether human-generated or tool-generated, is far more valuable than forced complexity.

Why Do Most Passwords Fail Security Tests?

Most passwords fail because humans are not wired to generate randomness. We rely on memorable patterns — names, dates, words — that attackers exploit through dictionary attacks and rule-based guessing engines like Hashcat. These tools do not just try every combination; they try the combinations humans actually use first.

Common password failure modes include: using personal information (birthdays, pet names), substituting letters with numbers (“p@ssw0rd”), and appending a single digit or exclamation mark to a common word. These tricks are so well-known that they are built into every serious cracking tool’s rule set.

The Password Reuse Epidemic

Even a technically strong password becomes dangerous when reused across sites. If one service is breached and stores passwords in plain text or uses weak hashing, attackers run the stolen credentials against every major platform in what is called a credential stuffing attack. A 2023 report by SpyCloud’s Annual Credential Exposure Report found that 72% of exposed passwords were still in active use a year after the breach that exposed them.

Short Passwords and Dictionary Words

The NCSC analyzed real breach data and found that single-word passwords — even long ones like “sunshine” or “football” — fall almost immediately to dictionary attacks. Attackers maintain lists of hundreds of millions of previously breached passwords and common words, meaning any recognizable English word is effectively useless as a standalone password.

What Is the Passphrase Method and How Does It Work?

The passphrase method is the most practical solution for creating strong passwords you can actually remember. A passphrase is a sequence of four or more random, unrelated words — such as “correct-horse-battery-staple” — that is both highly secure and far easier to recall than a string of random characters.

This concept was popularized by the webcomic xkcd and later validated by academic research. The Electronic Frontier Foundation (EFF) developed the EFF Diceware word list, which allows you to generate passphrases by rolling physical dice — completely offline, with no risk of digital interception.

Why Passphrases Are More Secure Than You Think

A four-word passphrase drawn from the EFF’s 7,776-word list has roughly 51.7 bits of entropy. A five-word passphrase reaches 64.6 bits — equivalent to a truly random 10-character password using every printable ASCII character. The critical advantage is memorability: four concrete nouns are far easier to hold in working memory than “xK9#mR2$pL.”

For accounts that allow spaces, the spaces themselves add entropy and readability. “Correct Horse Battery Staple” with capital letters and spaces is simultaneously easier to type, easier to remember, and statistically stronger than most corporate-mandated passwords.

How to Generate Your Own Passphrase

You can generate a passphrase in three ways: use the EFF Diceware method with physical dice, use a password manager’s built-in generator set to “words” mode, or use an offline generator tool. The critical rule is that the words must be genuinely random — not a meaningful phrase, song lyric, or quote. “ToBeOrNotToBe” is a dictionary target; “Lamp Frozen Carnival Orbit” is not.

The comparison above illustrates the core insight behind modern strong password tips: length and randomness beat complexity every time. A five-word passphrase outperforms a 12-character random string in both entropy and usability.

What Do the Latest NIST Guidelines Say About Password Rules?

The National Institute of Standards and Technology (NIST) significantly updated its password guidance in SP 800-63B, with the most recent revisions published in 2024. The new rules represent a major shift away from outdated practices that made passwords less secure, not more.

NIST’s current recommendations explicitly discourage several formerly standard practices, including mandatory periodic password changes, required special characters, and knowledge-based security questions (like “mother’s maiden name”). These requirements were found to produce predictable, weaker passwords rather than stronger ones.

Key NIST Recommendations for 2025

The updated NIST framework recommends that systems allow passwords of at least 64 characters, accept all ASCII and Unicode characters (including spaces), and check new passwords against a list of known compromised passwords rather than enforcing arbitrary complexity rules. Organizations following NIST guidance use breach databases like Have I Been Pwned’s Pwned Passwords database to block previously exposed credentials at the point of creation.

What NIST Says About Password Expiration

NIST now explicitly states that periodic password resets should only occur after a confirmed breach, not on an arbitrary schedule. Forced 90-day resets caused users to make minimal, predictable changes — “Password1” becomes “Password2” — which provided no real security improvement while degrading user experience. This guidance aligns with findings from Microsoft’s security research teams, who stopped recommending periodic password expiration policies in 2019.

Should You Use a Password Manager?

Yes — password managers are the single most effective tool for implementing strong password tips at scale. They generate, store, and autofill unique, high-entropy passwords for every account, solving the human memory limitation that causes reuse.

A password manager stores your credentials in an encrypted vault protected by one strong master password or passphrase. Even if the manager’s servers are breached, properly encrypted vaults are computationally infeasible to crack. Leading managers use AES-256 encryption and zero-knowledge architecture, meaning the company itself cannot read your passwords.

Top Password Managers Compared

Security researchers consistently recommend Bitwarden for users on a budget due to its open-source codebase, which has been independently audited by third-party security firms. For users already in the Apple ecosystem, iCloud Keychain provides solid baseline protection at no additional cost.

One Master Password to Rule Them All

The master password or passphrase protecting your vault is the one credential you must memorize. Use a five-word EFF Diceware passphrase for this purpose — it is long enough to resist brute force and concrete enough to remember without writing it down. Never store your master password digitally or in the manager itself.

What Are the Most Common Password Mistakes to Avoid?

The most common password mistakes fall into three categories: using predictable content, violating uniqueness, and relying on security theater. Avoiding these mistakes is just as important as applying strong password tips correctly.

Predictable content includes birthdays, names, sports teams, and pop culture references. Attackers use personalized wordlists built from a target’s public social media profiles — a technique called OSINT (Open Source Intelligence) gathering — before attempting a login.

Specific Patterns That Are Immediately Guessed

• Sequential keyboard walks: “qwerty,” “123456,” “zxcvbn”
• Letter-number substitutions: “@” for “a,” “3” for “e,” “0” for “o”
• Common words with appended symbols: “dragon!,” “monkey1,” “iloveyou2”
• Repeated characters: “aaaa1111,” “llll2222”
• Your name + birth year: “john1987,” “sarah2003”

All of the above patterns are explicitly modeled in cracking tools like Hashcat and John the Ripper. They are tried in the first wave of any dictionary-based attack.

Security Questions Are Not Security

Security questions — “What was your first car?” — are a known vulnerability. The answers are often findable through social media, public records, or social engineering. The FTC and NIST both advise treating security question answers as secondary passwords: generate a random string for each answer and store it in your password manager, rather than providing the true answer.

How Does Multi-Factor Authentication Strengthen a Weak Password?

Multi-factor authentication (MFA) adds a second verification step that blocks account access even if your password is fully compromised. It does not fix a bad password — but it makes a stolen password dramatically less useful to an attacker.

MFA works by requiring something you know (password), something you have (a phone or hardware key), or something you are (biometric). The combination of any two of these factors stops the overwhelming majority of automated attacks cold.

MFA Methods Ranked by Security

• Hardware security keys (e.g., YubiKey, Google Titan): Strongest — resistant to phishing
• Authenticator apps (e.g., Google Authenticator, Authy, Microsoft Authenticator): Very strong — generates time-based one-time passwords (TOTP)
• Push notifications (e.g., Duo Security): Strong, but vulnerable to MFA fatigue attacks
• SMS one-time codes: Moderate — vulnerable to SIM-swapping attacks
• Email codes: Weakest MFA option — only as secure as your email account

SMS-based MFA, while better than nothing, is vulnerable to SIM-swapping — a social engineering attack where criminals convince a carrier to transfer your phone number to a SIM card they control. High-value accounts (banking, email, crypto) should use an authenticator app or hardware key instead.

Understanding how your data travels is also important. If you are concerned about account privacy more broadly, our guide on what message metadata reveals and who can access it covers the digital footprint your communications leave behind.

How Should You Protect Messaging and Communication App Accounts?

Messaging app accounts are high-value targets because they contain private conversations, linked contacts, and often serve as identity verification channels for other services. Applying strong password tips specifically to messaging platforms is essential — a compromised messaging account can cascade into account takeovers across your entire digital life.

WhatsApp, Signal, Telegram, iMessage, and similar apps all tie your account to a phone number — but the email address or account credentials linked to that phone number are the real attack surface. If an attacker gains access to your email, they can trigger account recovery on most messaging platforms.

Platform-Specific Security Steps

For WhatsApp, enable the two-step verification PIN (a six-digit code required during registration), found under Settings > Account > Two-step verification. For Telegram, enable a two-factor password in addition to the SMS code, accessible via Settings > Privacy and Security. For email-based login systems, use your password manager to generate a unique 20+ character password and pair it with an authenticator app.

If you are evaluating which messaging platform offers the best baseline security, our comparison of Signal vs. Telegram and which app actually protects your data covers the technical differences in detail. Similarly, understanding what end-to-end encryption means and why it matters will help you evaluate whether your messaging provider’s security claims hold up.

Recognizing When Your Account May Be Compromised

Signs that your messaging account credentials may be stolen include unexpected login notifications, contacts reporting strange messages from your account, and being logged out unexpectedly. If you suspect a breach, our resource on how to tell if your phone has been hacked provides a systematic checklist for identifying and responding to compromise.

When Should You Actually Change Your Password?

You should change a password immediately when a specific trigger occurs — not on a scheduled basis. NIST’s 2024 guidance is explicit: routine periodic password changes without a security event are counterproductive. The triggers that genuinely warrant a password change are concrete and evidence-based.

The primary triggers are: a confirmed breach at a service you use, evidence of unauthorized access to your account, sharing a password with someone who should no longer have it, using a device you no longer control, and discovering your password appears in a known breach database.

How to Check If Your Password Has Been Exposed

You can check any email address at Have I Been Pwned — a free service created by security researcher Troy Hunt that indexes over 12 billion compromised accounts from publicly known data breaches. You can also check specific passwords (converted to a hash before transmission for privacy) against the Pwned Passwords database without exposing the actual password string.

Major password managers including Bitwarden, 1Password, and Dashlane integrate with this database directly. They alert you automatically when any stored credential appears in a new breach — eliminating the need to manually check.

Building a Breach Response Protocol

When a breach notification arrives, act in this order: change the password on the affected site first, then identify any other sites where you used the same password and change those too, then check whether financial accounts could have been accessed via the compromised account, and finally enable MFA on the affected account if not already active.

Your Action Plan

1. Audit your existing passwords with Have I Been Pwned

   Go to HaveIBeenPwned.com and enter every email address you use. Review the breach list for each. Any service showing a breach requires an immediate unique password. This audit takes 10 minutes and reveals your actual exposure level.

2. Choose and install a password manager

   Download Bitwarden (free, open-source) or 1Password (paid, feature-rich) on your primary device. Install the browser extension. This becomes your central credential store — every new password you create from this point forward goes directly into the vault.

3. Create a strong master passphrase using EFF Diceware

   Visit the EFF Diceware page, roll five physical dice, and generate a five-word passphrase. Write it on paper and store it in a physically secure location (not your desk). Memorize it over the next 48 hours, then destroy the paper. This is the only password you will ever need to remember.

4. Change your email account password first

   Your email is the master key to every other account. Use your password manager to generate a unique 20-character random password for Gmail, Outlook, Apple ID, or whichever email service you use. Enable an authenticator app (Google Authenticator, Authy, or Microsoft Authenticator) as your MFA method — not SMS.

5. Apply strong password tips to your highest-risk accounts

   Prioritize in this order: financial institutions (banks, brokerage accounts, PayPal), messaging platforms (WhatsApp, Telegram, Signal), social media, and cloud storage. Use your password manager to generate a unique, 20+ character password for each. Enable MFA on every account that supports it.

6. Replace all reused passwords over 30 days

   Do not try to change everything in one sitting — that leads to errors. Set a goal of replacing five to ten reused passwords per day until every entry in your vault has a unique credential. Most password managers display a “reused passwords” report that prioritizes which to change first.

7. Enable breach monitoring alerts

   Turn on automatic breach alerts in your password manager’s settings. Bitwarden offers this via its built-in Data Breach Report; 1Password’s Watchtower feature monitors continuously. Separately, sign up for free email breach notifications at HaveIBeenPwned.com so you receive immediate notification if any of your email addresses appear in a new breach.

8. Review your security questions and replace answers

   Log into each high-value account and locate the security question settings. Replace every “true” answer with a random string generated by your password manager (e.g., the answer to “What city were you born in?” becomes “zT9#vBm4kL2!”). Store these fake answers as notes attached to the relevant entry in your vault.

Frequently Asked Questions

What is the best password length in 2025?

The best password length in 2025 is at least 16 characters for general accounts and 20 or more for high-value accounts like email and banking. NIST SP 800-63B recommends a minimum of 15 characters and supports passwords up to 64 characters or longer. Length is the single most impactful factor in password strength.

Is it safe to use a password manager?

Yes — reputable password managers are significantly safer than human-managed passwords. Tools like Bitwarden and 1Password use AES-256 encryption with zero-knowledge architecture, meaning the company cannot read your passwords even if their servers are accessed. The risk of a password manager breach is far smaller than the near-certainty of reuse-related compromise.

What are the strongest password tips for someone who cannot use a password manager?

The strongest approach without a manager is the EFF Diceware method: generate a five-word random passphrase, write it on paper stored securely at home, and use a variation of it (with one number and symbol inserted) for your most important accounts. Never use the same passphrase twice. This is less ideal than a manager but far better than common weak passwords.

How often should I change my password?

Change your password only when a specific security event occurs — not on a routine schedule. Per NIST 2024 guidelines, the triggers for a password change are: confirmed breach, evidence of unauthorized access, a shared password that no longer needs to be shared, or your credential appearing in a breach database like Have I Been Pwned.

Can a passphrase be cracked?

A randomly generated four-word passphrase from the EFF Diceware list has approximately 51.7 bits of entropy, making it computationally infeasible to crack with current technology. A five-word passphrase exceeds 64 bits — equivalent to the strongest random passwords in common use. The key is that the words must be genuinely random, not a meaningful phrase or song lyric.

Is SMS two-factor authentication better than nothing?

Yes, SMS-based MFA is better than no MFA, but it is the weakest form available. SMS codes are vulnerable to SIM-swapping attacks, where criminals convince your phone carrier to transfer your number to a SIM they control. For any account containing financial or identity data, use an authenticator app or hardware security key instead.

What makes a password weak even if it looks complicated?

A password looks complicated but is actually weak if it uses predictable substitution patterns (like “@” for “a” or “3” for “e”), follows a recognizable structure (word + number + symbol), or is short despite its complexity. Cracking tools like Hashcat apply all known substitution rules automatically, meaning “P@ssw0rd!” is tested in the first few seconds of any serious attack.

Should I write my passwords down?

Writing down a master passphrase on paper — stored in a physically secure location — is acceptable and sometimes recommended by security experts for backup purposes. Writing down individual account passwords on a desk notepad or sticky note is not acceptable. The threat model is different: digital attackers vastly outnumber people who will physically enter your home.

What is the difference between two-step verification and two-factor authentication?

Two-step verification (2SV) and two-factor authentication (2FA) are often used interchangeably, but 2FA technically requires two different factor types (e.g., password + hardware key), while 2SV may use two steps of the same factor type (e.g., password + SMS code, both of which are “something you know”). Both provide significant security improvement over a password alone.

How do I know if a website stores passwords securely?

You cannot directly verify how a site stores passwords, but indicators of poor practices include: receiving your actual password in a plain-text email after registration, being told your password in a “forgotten password” email (rather than a reset link), or having a password length cap of under 20 characters (which often indicates older, insecure storage methods). Services that properly hash passwords with bcrypt, Argon2, or scrypt never need to retrieve the original password.