Password Tips
Easy to Remember Passwords That Are Actually Secure
The advice to "use a random string of 20 characters" is technically correct — but useless if you can't remember it and end up reverting to something weak. Here's how to find the real middle ground between secure and human.
The tension between memorable and secure
Most people gravitate toward the same kinds of passwords — a pet's name, a birthday, a favourite word with a number at the end. These feel personal and unique, but they follow patterns that cracking software is specifically designed to try first. "Fluffy2003!" is not strong, even though it feels like it should be.
Fully random passwords like xK#9mP!2wQ@vL are extremely strong, but almost impossible to memorise — especially when you need one for every account. The solution is not to pick one extreme, but to use a method that produces something both structured enough to remember and unpredictable enough to resist attacks.
Why "memorable" passwords still get cracked
Attackers use dictionaries containing millions of words, names, and common substitution patterns. They know that people replace "a" with "@", that "e" becomes "3", that most passwords end in "!" or "1". Tools like Hashcat and John the Ripper apply all of these transformations automatically.
This means a simple word with basic swaps — p@ssw0rd! — is still in the dictionary. The real strength comes from combining an unusual base word with consistent, personal transformations and a truly random suffix that the attacker cannot predict.
Three approaches that actually work
1. The transformed base word
Start from a word only you would associate with this account — something obscure, not your pet or birthday. Apply consistent personal rules: capitalise the first and last letter, swap specific vowels for symbols, append a short random number. Example: telescope → T3l3sc0pE#94. You remember the word and the rules. The output looks random to an attacker.
2. The random passphrase
Pick four or five completely unrelated words at random — not a phrase from a song or book. Something like correct-horse-battery-staple. This approach, popularised by XKCD, produces a password that is long (high entropy) and surprisingly memorable because the absurdity of the combination sticks in your mind.
3. Generated memorable password
Use a tool with a "memorable mode" — enter a base word you already know, and it applies leet substitutions, capitalisation, and a random suffix automatically. You still get a connection to something familiar, but with transformations and entropy you wouldn't apply consistently on your own.
The one rule that matters most
Regardless of which approach you use, the single most important rule is: one password per account. A memorable password that you reuse everywhere is far more dangerous than a strong password used in one place. When any of those sites gets breached, attackers will try your credentials on every major service automatically.
If memorising a unique password for every account feels impossible, that's because it is — and that's exactly what password managers are for. Use a memorable master password for the manager, and let it handle unique passwords for everything else.
Try Memorable Mode — type your word, get a strong password
We transform it with leet swaps and a random suffix. You still recognise it. Takes 10 seconds.
Create a Memorable Password →Frequently asked questions
Can a memorable password be truly secure?
Yes — if it is long enough and uses unpredictable transformations. A memorable password that is at least 14 characters, applies consistent symbol substitutions, and adds a random suffix can be just as strong as a fully random password, while still being recognisable to you. The key is that 'memorable' cannot mean 'predictable'.
Is a passphrase better than a random password?
Passphrases — a sequence of random words like 'correct-horse-battery-staple' — are a valid and strong approach. They are long, making them resistant to brute force, and easier to type than random strings. However, they need to be truly random words, not a phrase from a song or book you know, which would be guessable.
How do I create a password I won't forget?
Start from a personal word or phrase only you would think of, then apply consistent transformations you can remember: capitalise the first letter, swap certain vowels for symbols (e→3, a→@, i→1), and append a short memorable number. The transformation rules become the 'key' — you remember the base word and the rules, not the final string.
Is it okay to write down my password?
Writing a password on paper and keeping it physically secure (such as in a locked drawer, not a sticky note on your monitor) is considered acceptable for home use by many security experts. It is far better than using a weak or reused password. However, a password manager is safer because it encrypts everything and cannot be physically found or stolen.
What is the most secure type of password?
A long, fully random password generated by a password manager and stored in that same manager is considered the most secure approach. It has no pattern, no predictability, and is unique to every account. The trade-off is that you cannot memorise it — but with a password manager, you do not need to.
How often should I change my passwords?
Security guidance has shifted away from mandatory regular changes. You should change a password when you have reason to believe it has been compromised — for example, if a site you use is breached, if you notice suspicious activity, or if your credentials appear on haveibeenpwned.com. Changing passwords on an arbitrary schedule often leads to weaker passwords as people increment numbers at the end.