How to Generate a Strong Password You Can Actually Remember

9 min read Published: March 10, 2026 By Ing. Peter Divéky Passwords & Security

For most passwords, the advice is simple: use a password manager, generate something completely random, and never try to remember it. But there are a handful of passwords you need to know by heart and can never store anywhere — your password manager's master password, your phone PIN, your device login. For those, pure randomness doesn't work. Here's the approach that gives you genuine strength without requiring a perfect memory.

Why "add a capital and a number" advice is wrong

The classic IT department advice — take a word you know, capitalise the first letter, add a number and a symbol at the end — produces passwords like Summer2024! or Football#7. These feel strong because they have mixed case, a number, and punctuation. They're not.

Modern password cracking tools specifically test these substitution patterns. P@ssw0rd is in pre-computed cracking dictionaries. Any transformation with a consistent structure — replace 'a' with '@', '0' for 'o', add a number after the word — is accounted for. If a human can think of it as a pattern, a cracking tool has already tried all the variations.

The diceware / passphrase approach

A passphrase is four to six random words combined: something like correct-horse-battery-staple (a famous example from the webcomic xkcd, now unfortunately in dictionaries itself, so don't use that specific one). The security doesn't come from complexity within words — it comes from combining multiple independent words randomly.

With five random common words, there are approximately 10 trillion possible combinations if you're drawing from a reasonably sized word list. A ten-character mixed-case password has billions of combinations too, but dictionary attacks and pattern testing reduce that effective space dramatically. The passphrase's advantage is that randomness across independent words is harder to systematically attack.

The other advantage is memorability. Human brains are wired to remember stories and imagery, not random strings. purple hammer dancing octopus creates a mental picture. Kp9#mZxL does not.

How to generate one that's actually random

The problem with making up a passphrase yourself is that humans are terrible at being random. We reach for familiar words, avoid certain subjects unconsciously, and produce patterns we don't notice. The words you think of as "random" are more likely to be words you've been thinking about recently.

True diceware uses physical dice: roll five dice, read the number as a five-digit index into a word list, repeat for each word. The EFF (Electronic Frontier Foundation) publishes open word lists designed for this. The result is genuinely random in a way that self-selected passphrases aren't.

If you don't have dice handy, our password generator can generate random strings that you can use as a base, and for passphrases specifically, browser-based tools like Bitwarden's online generator include a word-based passphrase mode.

Adding memorable anchors without reducing security

A pure four-word random passphrase is about 51 bits of entropy — strong, but most security-conscious systems now recommend six words or an additional twist. There are ways to increase memorability and length simultaneously.

Adding a personal context separator: correct.horse.battery!staple — punctuation between words makes it technically harder while rhythm makes it easier to type from memory. The separator can be consistent across your few memorized passwords if the words themselves are different each time.

Substituting one word for a phrase: running-horse-battery-from-thunder extends length while adding a narrative hook. Five words rather than four adds roughly 12.9 bits of entropy.

What doesn't help: capitalising the first letter of each word (cracking tools expect this variation first), adding a number at the end (expected), replacing obvious letters with symbols (o→0, a→@). These feel like improvements and aren't against a sophisticated attack.

The few passwords worth memorising

To get the benefit of both strong unique passwords everywhere and the ability to function without looking everything up, the goal is to keep memorized passwords to a minimum:

Your password manager master password — one genuinely strong, unique passphrase. This one is worth spending real effort on. Write it on paper, store the paper somewhere physically secure (separate from your devices), and type it frequently enough that it becomes automatic.

Your primary email account — because even with a password manager, you occasionally need email access to recover another account on a device that doesn't have the manager set up yet.

Your device unlock PINs / passwords — phone and computer. These you'll type many times daily, so muscle memory develops quickly.

Everything else should be a random generated password stored in your manager. The goal of memorizing strong passwords is not to have many strong memorized passwords — it's to have as few as possible while covering the cases where memory is strictly necessary.

Testing what you've created

Once you have a candidate passphrase, two checks are useful. First, can you type it accurately three times in a row without looking? If not, either the words are too obscure or the length is too long for reliable recall. Second, walk away and come back in two hours — can you still recall it? If not, the words aren't forming a strong enough mental image. Go back to the dice or generator and try again.

The password you write down because you can't remember it, the one you store in a note on your phone, the one you simplify after forgetting it twice — these defeat the purpose. A passphrase you can reliably recall from memory is more secure in practice than a stronger one you can't.

About the author: Ing. Peter Divéky is a technology writer and web developer at goodboog. He writes about everyday digital security and practical tools for managing online accounts.