How To Create a Strong Password you can Remember

As more and more of your life moves online, the need to maintain a secure computing environment is critical. Creating a password isn’t good enough, it needs to be a strong password. Let’s review how to create an easy to remember, yet rock solid password!

As more and more of your life moves online, the need to maintain a secure computing environment is critical. Creating a password isn’t good enough, it needs to be a STRONG password. A common misconception, however, is many think a strong password is hard to remember. Not true and good news for you, today I’ll review how to create an easy to remember, yet rock solid passwords.

How to Create a Strong, Secure Password

  1. Use a passphrase. You mean like an actual phrase? Yes, that’s exactly what I mean! The great thing about a passphrase is it’s long, it’s not a dictionary word and in some cases, it’s easy to include special characters which are tough to guess. For example, a previous password I’ve used in the past was: my laptop is black and ugly! – Wow, a 28 character password that’s easy to remember (I just look at my laptop) and nearly impossible to guess or hack (unless you look at my laptop). Some services out there like Twitter don’t allow spaces in passwords so you will need to adjust from time to time.
  2. Use a Password tool like 1Password which not only keeps all your passwords locked up and secure; it also helps you create a secure, unique password for all your accounts.
  3. A secure password is a unique password.  As tempting as it might be, never use the same password on multiple websites. Sharing passwords between sites is like Russian Roulette. All it takes is one website hack to ruin your day especially if that password is used across all your online accounts. Add a layer of security to your online footprint by using unique passwords on every website.
  4. Don’t use dictionary words. Yeah I know, your kids are cute, but their names make horrible passwords as do months of the year, movie titles, and cute furry pets. Dictionary words are easy to guess, and they’re about a million apps out there which specialize in attacking accounts using dictionary words in all known languages. The only exception to this rule is using dictionary words in a passphrase.
  5. Like most things valuable in life,  Passwords need at least annual maintenance. In other words, if you’ve been using the same password for a few months or years, change it. Again, using a passphrase, you shouldn’t have a problem coming up with a simple, unique phrase you can easily remember. If you don’t know how to change some of your account passwords, no worries. Here are a few of our most popular guides for changing your Amazon,  Facebook and Twitter password.
  6. Contrary to popular belief, passwords written on a yellow sticky and hidden under a keyboard does not make it secure. So, don’t do that! In almost all cases, if the worst happens and you forget your password, you can almost always reset it using your email address.

What Next?

When it comes to online security, multiple layers are required. One of the most important layers is two-factor authentication. It’s a bit more complex, however, as always, we have step-by-step guides to walk you through the procedure. If you get stuck along the way, just let us know in our Free groovyPost Support Forum.

Do you know someone who uses really bad passwords online? Do them a favor and share these tips with them today!



  1. Jim Conkler  

    Great tip. I spent half the day moving to a pass phrase and altering it a tad for each site using a technique I can’t tell you about. :)

    Thanks for the tip. I’d never thought about a phrase before. Very groovy.

    • Thanks for the feedback @Jim!

      Glad to hear you liked the Pass Phrase Tip. I’ve been using that trick for years starting about 8-10 years ago when I first discovered spaces are allowed for Windows Active Directory accounts. Our corporate IT guys made us change our password every 45 days and we couldn’t re-use old passwords. The Pass Phrase worked like a charm and several times they made me smile being… no, I won’t tell you what they were but I’ll bet you can figure it out.

  2. Ted  

    Somebody recommended modifying the name of the website as the password. So on Facebook the password could be myfacebook. What do you think?

    Neither your system nor the one I mentioned above works in many cases where numerals are also required.

    • Brad  

      humm, slightly modifying the website name sounds like it might make it easy to guess. But I think it is good to include a concept from the site into your pass phrase (i.e. “myRambling” instead of “myfacebook”)

      Here are some tips I would recommend in addition to the ideas Steve offered.
      1) Exchange strategic numbers for specific letters within your phrase. i.e. O=0, l or i = 1, E = 3, etc. So “the tall wall” could become “th3 ta11 wa11” – that gets around the required numbers problem and, if you are consistent, is just as easy to remember.
      2) Exchange a punctuation mark like _ or , or . for all spaces – “th3,ta11,wa11”
      3) I’m new here so I don’t want to look like I’m a plant for a password storage app, but these can be *really* helpful. I love the one that positions itself as “the last password you will ever need”.
      4) If you don’t use a password manager, then Steve’s rule 1 (about each one being unique) should be tempered (IMHO) a little bit for sanity. For non-financial passwords, I would group them into categories. So, if you have two or three email accounts, you might be able to get away with using the same password for each. But here you have to evaluate risk vs. convenience.

      • Doug Jensen  

        Using password managers is a bad idea. If that database becomes corrupted (which has happened to me with the most widely used password manager), you are SOL unless you keep (or the password manager can export) a user-readable copy — they are usually encrypted so you can’t read your passwords when the inevitable happens.

        BTW, the lookalike number/letter substitution is obvious and always explored as part of dictionary word password breaking.

        • True- However, my PW Database is backed up w/Crashplan. It watches my files and backs them up each time there is a change. With Unlimited revisions, I don’t worry about it.

          So worst case, I restore a previous version of my PW Database w/Crashplan.

          The same goes for Ransomware… If my box is ever owned from a Ransomware standpoint, oh well. Wipe the box and restore from Crashplan. It’s not free but, it’s cheap insurance at $60 a year. It’s the one product I tell ALL my readers to buy no matter the platform (Windows/Mac).

  3. Alex  

    quite usefull actually. Thanks…

  4. pter  

    I used a different method to select my password, I start from a sentence like, “The winter is coming but I am ready !” I just take the first letter of each word: Twicbiar!

    That fix the problem of the maximum 8 characters password.

    What do you think?

    • HI Pter – That’s also a great method. It works very well and it’s not a dictionary word so good luck on anyone guessing it. Plus since you used a pass phrase, it should be easy to remember also.

      Nice system.

  5. Catz  

    Wait. What?

    You said NOT to use dictionary words but “my laptop is black and ugly” is 6 words, all of which are found in the dictionary.

    I don’t get it.

    • Brad  

      Perhaps this is more clear. Do not use a password that can be found in a dictionary. So, “laptop” is not a good password. But the phrase “my laptop is black and ugly” cannot be looked up (as a phrase) in any standard dictionary.

      Still, to be safe, phrases should contain at least 4 words unless you choose to slightly mangle the words in a personally memorable way (as was suggested above). i.e. “th3,ta11,wa11”

      • Ted  

        Is it a good idea to use different passwords for different sites?

        • Oh yes. Very much so. You should never use the same password on multiple websites even if you come up with a really secure password.

          The main reason for this is because websites get broken into all the time at no fault of you, the end users. Perhaps it’s an inside job where a system admin goes rogue or perhaps the website has a bug in it and the attacker can break in.

          Either way, if they get into the website, your passwords is normally stored in a database. So if the attacker gets into that database they now have your password.

          Not good…. however this could be REALLY bad if that same password is used on all your accounts over the internet. And REALLY REALLY bad if they now have your email or paypal account….

    • HI Catz,

      I perhaps should have elaborated a bit about how hackers go about cracking passwords. Here’s how it works:

      One method hackers users for breaking into accounts is they take an application make for testing passwords and point it at a list of dictionary words in several languages. The application then crawls applications and websites trying common usernames in combination with that list of dictionary words.

      Now the way it work is it tries individual dictionary words, not combinations of them IE: phrases. The reason they don’t go after pass phrases is because there are just way way too many combinations of words to put together. I would say impossible and to try them all it would take way way too long.

      So that’s why if you use a Pass Phrase, you will be 99.999% safer than a person who users a single word like laptop or december or becky or any other name which you can find in a common dictionary.

      Make sense?

    • Sorry if that’s confusing. You see — using the password “Laptop” would be bad. This is a dictionary word. However, the passphrase “my laptop is black and ugly” is NOT a dictionary word.

      Sure, it’s made up of dictionary words, however, together they are not a dictionary word and neither a hacker or an automated brute force password application would be able to break it. Why? Because the number or possibilities endless when you stack dictionary words together into a phrase.

      Now, there are exceptions to every rule. In other words, I would not use a passphrase like “I love my kids” or, “I love my dog”. That’s not random enough and there is a possibility… it could be guessed by a human or application given enough attempts.

  6. AnnT  

    My husband used the last four numbers of his army id to protect his log-in screen. And had the visible onscreen tip as “last 4”.
    Why password protect from your wife of 23 years? Hmmm. I wonder why ….
    I checked. And changed it to “I am a cheat and a liar”. He’ll never figure that one out, but he doesn’t live here anymore.

  7. jifjaf  

    You say above that you think it is a good idea to use different passwords for different sites – do you have any suggestions for how to remember loads of different passwords?

    • My advice would be:

      Use a passphrase that you can take the specific service onto.

      The passwords:

      “this is my gmail account password”
      “this is my yahoo account password”
      “this is my bing account password
      “this is my password i use for crap i dont care about”

      Are all very secure and nobody would be able to guess them unless you use the same username on every site (or somebody very close to you figures them out).

      You could also change up the order though:

      “this is my password for gmail austin”
      “this is my password for bingo smingo”
      “this is my password for wahoo yahoo”
      “this is my password i use for crap i dont care about”

      Just keep it simple, LONG, and easy to remember, then you should be good.

      • Robert Lancaster  

        Your suggestion has (though to a lesser degree) the same issue as using the exact same password at multiple accounts.

        For example, if a hacker (or rogue admin) finds out that your passphrase at, say, Bing is “this is my Bing password”, they could then try that same passphrase at other sites, replacing “Bing” with the name of each site.

  8. Henry  

    Great tip and completly understandable. I’m going to use it from now on.

    • Awesome! I’m glad you enjoyed it. Feel free to spread the love by submitting to your favorite social media site.

      The more security ppl out there the better we all are!

  9. J.T.  

    I used a variation of that scheme since about 2002:
    Steeler beat Browns 27 16 yields password:


    I think with a cap, an underscore and a number or or four it’s nearly impossible to crack (well maybe you can crack it — with something on the order of a liquid cooled supercomputer running for 96 hours straight!)

    • Awesome system. A good example of building a system that works for you! Easy to remember yet powerful.

  10. Sulema Brown  

    what can you do if you forget your password? How will I be able to unlock it? Thanks

    • Hi Sulema,

      In most cases, applications and websites have a “I forgot my password” feature. The way it works is a reset password will be emailed to you. You click that link and the app will walk you through resetting your password.

      Now, if you forget your password to your email account, most services like Gmail and will ask you additional questions to confirm your identity.

  11. Peter Griffin  

    My preferred method is to use a password 2 million characters in length (with no repeating characters), use caps, numbers, special characters and super-enciphered dictionary words.
    Meanwhile back on planet Earth, how on earth are people meant to remember multiple passwords? Course they can’t. You could use a password manager, but 99.9% of the sites I use don’t require a unique password, because I’m not bothered if they get hacked or not. I use the same password for all these sites. The only exceptions are online banking and web mail, where I do use different (non-dictionary) passwords.
    Another similar technique to a passphrase is to use half a dozen or so random words (can be dictionary words or made-up ones, doesn’t matter), for example:
    Unless the alphabet agencies have quantum computers we know nothing about, a random chain of dictionary words will keep their supercomputers busy for at least a week or two I reckon.

    • Hi Peter,

      Like you, I have about a hundred or more accounts online. It’s such an important piece of my life that I’ve invested in an application to help me both create and store my passwords. I highly recommend 1Password for all my groovyPost readers. Buy it for your iPhone, Mac or Windows and you can use the software on all devices.

  12. Doug Jensen  

    This is not all that helpful with the sites that have bad limits on passwords–e.g., no more than 8 characters, or no special characters allowed. 8-letter abbreviations for phrases is almost the only option is such cases.

    • Well sure. You can’t lock a door if the door has no lock on it. In that case…. What do you suggest?

  13. Lou G  

    Great info. As one that tries to vary passwords, but has been leery of using password managers, the suggestions posted, I will try to remember when I need to change a password. One of the most ridiculous passwords I’ve read about folks using is “password”. Duh!

    • Yes… Password or just as bad, P@$$W0RD….

      PPL think it’s creative and secure. It’s not secure. :)

  14. moses  

    Lucky for me, I have used BlackBerry devices for the last 8 years and I have never worried about passwords because all BlackBerry devices come with a password keeper which can create and store passwords for you, it makes up impenetrable passwords. And the app is also password and encryption protected. I have been security conscious for a number of years. I use two emails the Gmail fir everything and Protonmail for important stuff because of no “IP logs policy”…[ProtonMail’s] security measures are intense: end-to-end encryption and user authentication protocols so rigorous even the creators can’t read user emails.

  15. Very useful article, thank you for sharing these great tips with us! I have to admit that I never thought of using a passphrase, but I will definitely do it now.

  16. My kids figure out my passwords same mind set I also figure out their passwords we live in the same system ha ha

  17. Peter Griffin  

    Two-factor authentication is no longer considered secure.
    A search on for
    “two-factor authentication” insecure
    produces 82,600 results.
    Just one hit:

    • Peter Griffin  

      Or rather I should specify: two-factor authentication by *SMS* is (potentially) insecure.
      Other two-factor authentication methods may still be secure.

  18. Peter Griffin  

    Of course, keystroke logging, phishing and social engineering will undermine any password, however complex.

    Pasted below is section A3 from

    “A.3 Complexity

    As noted above, composition rules are commonly used in an attempt to decrease the guessability of user-chosen passwords. Research has shown, however, that users respond in very predictable ways to the requirements imposed by composition rules. For example, a user that might have chosen “password” as their password would be relatively likely to choose “Password1” if required to include an uppercase letter and a number, or “Password1!” if a symbol is also required.

    Users also express frustration when attempts to create complex passwords are rejected by online services. Many services reject passwords with spaces and various special characters. In some cases the special characters that are not accepted might be an effort to avoid attacks like SQL Injection that depend on those characters. But a properly hashed password would not be sent intact to a database in any case, so such precautions are unnecessary. Users should also be able to include space characters to allow the use of phrases. Spaces themselves, however, add little to the complexity of passwords and may introduce usability issues (e.g., the undetected use of two spaces rather than one), so it may be beneficial to remove spaces in typed passwords prior to verification.

    Users’ password choices are very predictable, so attackers are likely to guess passwords that have been successful in the past. These include dictionary words and passwords from previous breaches, such as the “Password1!” example above. For this reason, it is recommended that passwords chosen by users be compared against a “black list” of unacceptable passwords. This list should include passwords from previous breach corpuses, dictionary words, and specific words (such as the name of the service itself) that users are likely to choose. Since user choice of passwords will also be governed by a minimum length requirement, this dictionary need only include entries meeting that requirement.”

  19. John  

    Wow, Something very useful. I got my gmail account twice hacked because of low strength password. I will use your tips now.

Leave a Reply

Your email address will not be published. Required fields are marked *


To Top