How to create an easy-to-remember and strong password

Post 98 of 262

As the web looks today, most people have a number of user accounts on various services. With that comes the need to use passwords, which should be as secure as possible. Preferably by being long, containing letters in mixed cases as well as numbers and special symbols. Passwords should also never be re-used, but unique to each account, website or service. With dozens of such passwords to keep track of, it may be a pain to remember them all which sometimes results in taking shortcuts that result in a less secure password policy.

Web comic xkcd published an interesting view on this where it is shown that in theory, passwords made up from four random and easy-to-remember words are way more secure than shorter passwords containing numbers and symbols:

Now, what is true in theory is not always true in practice. Passwords made up from random words are more likely to be guessed using word list matches than random characters. But the idea of random words is still interesting since the passwords are naturally easier to remember. By combining the concept of four (or any number of) random words with a few special characters and mixed-case, you can get strong passwords which are still easy to remember.

Let’s create an example!

To give an example, let’s use the excellent Simple Strong Password Generator which was created by two Swedish developers soon after the xkcd cartoon was published. I start by generating a couple of random four-word passwords until I get one which I find easy to remember:

I got “mooncrossedcaseflow”, a 19-character password consisting of the words “moon”, “crossed”, “case” and “flow”. To make it more secure while still keeping it easy to remember, I add a number in each word: “1moon”, “2crossed”, “3case” and “4flow”. Finally I put an exclamation mark at the end, to get the end result:


The result is a 24-character password which is much easier to remember for me than a shorter string of random letters and numbers. Now, this is of course very individual so this may not be a good method for everyone. But if you resort to using simple passwords since more advanced passwords are too hard to remember, then this may be a good alternative.

The truly secure option

However, the most secure passwords are still the kind that can be generated by services like the Ultra High Security Password Generator. A password from it can look like this:

“tV>N`0R’|PFD5=HsQ`Rb@if9WwZACqsmgS’68~b8&< )Z7-S7w}MMjk`,c;L]{3A" I could never remember a password like that, but there are various ways to securely store passwords if needed. This blog post from NY Times lists some of the ways it can be done. The comments to the blog posts provide more tips and ideas for securing your passwords, no matter which password policy you choose to use.

, ,

This article was written by Andreas Viklund

Web designer, writer and the creative engine behind this website. Author of most of the free website templates, along with some of the WordPress themes.


lampeaceAugust 19, 2011 at 11:23Reply

A good software to search for a missing password, thanks for share andreas

PetterAugust 19, 2011 at 21:47Reply

Thanx for the post man!

Its great to see your work!
Im also swedish.
Doing some SEO, working with wordpress.

You sure are doing a great thing here.

Thanx for the password post.

Typo3 Template FreakAugust 21, 2011 at 16:43Reply

Thanks for the Post

to save the passworts i use 1Password – with FF addon – thats great ;)

HenrikAugust 22, 2011 at 12:47Reply

Lastpass is a great password manager for IE, Safari, Chrome, iPad. It can generate strong password for every site you need a login to and you only need to remember the master password.

You can also use padding to make your password stronger. Example, if you use a common word like pencil. Pad som extra characters in the word, pencil!!!!!!! or pen!!!cil.

JuanAugust 26, 2011 at 01:28Reply

Muy bueno lo tuyo no todo el mundo comparte lo que vos compartis, pero me agrada el hecho de que hay gente que da sin esperar y eso habla muy bien de vos.
Soy un tipo grande y estoy empezando a repensar mi vida y mi trabajo y buscando en internet empece a hacer paginas para mis amigos y les gusto, asi que la emprendi con esto y recien me estoy largando; Por eso te conoci a traves de la busqueda de plantillas para poder guiarme y ver como los grandes hacen las cosas y aprender un poco mas cada dia, asi que en cuanto largue mi pagina te la voy a mostrar y(si no te molesta) podes hacer la critica de mi trabajo.
Gracias desde ya por tu atencion y nos veremos en este fascinante mundo de internet y segui asi que lo haces muy bien.

Korting2011August 29, 2011 at 17:53Reply

Thanks for share andreas!

JavitaSeptember 1, 2011 at 03:54Reply

Awesome. I tend to use one of a handful of passwords for my low-priority stuff. But the absolute BEST investment I’ve EVER made for my computer was Roboform. It remembers all my login information, can fill out forms for me, and has a password generator. I’m sure it’s not ultra-high security, but it’s high enough I can’t remember them!

johnphdJune 21, 2012 at 22:54Reply

A strong 20 character password with unique salt – userid and a 4 character passkey used to retrieve your strong password is still one of the best options for a strong password.

An opensource implementation of this is The userid and 4 character passkey serves as both the salted hash and the encryption key.

Hope it helps!

Leonhard EulerJune 2, 2013 at 16:17Reply

Wouldn’t picking 4 random (but real) words make your password very weak against a Dictionary attack? I can see how it would make Brute Force methods take billions of years, but even DeoxyriboNucleicAcid at 20 characters would be guessed in however long it takes your cracking program to get to the “D” section of any dictionary.

If adding numbers and punctuation is the answer to hardening your “easy to remember” password against said attack, then either you do something common, like number each word, or add a 1 to the end, (making it soft) or uncommon and then you have a difficult to remember password again. You’ll remember the base words just fine, but like XKCD-guy points out, you’ll forget where the numerics go.

In summary, I suspect increasing the length of the password does little for security if the words are readily found in any dictionary. Please correct me if I’m wrong or missing something.