Most password advice forces a choice between security and memorability. Complexity requirements produce passwords that are hard to remember but not as secure as they appear; simple memorable passwords are weak. Passphrases resolve this tension — but only when generated randomly. Understanding which memorability techniques are compatible with security and which silently destroy it is essential for practical password hygiene.
Techniques That Destroy Security
- Personal words: Pet names, family members, sports teams, favourite places — all are profiled by attackers using LinkedIn, social media, and public records
- Date substitution: "Summer2024!" — dates are among the first things tried in rule-based attacks
- Keyboard patterns: "qwerty", "123456", "zxcvbn" — included in every major cracking dictionary
- Predictable substitution: "P@ssw0rd" — leet-speak dictionaries are standard in cracking tools
- Thematic word groups: "RedRoseRomance" — thematic relationships reduce the effective search space
Techniques That Preserve Security
- Random generation then mnemonic: Generate the passphrase first with a CSPRNG, then build a memory aid around what was generated
- Visualisation: Convert each word to a concrete mental image and link them in a memorable scene — the images are not predictable from the words alone
- Spaced repetition: Test recall at increasing intervals (30 min → 2 hr → 24 hr → 1 week) to move a passphrase to long-term memory without writing it down
- In-place modification: Capitalise first letters or add a random separator for site compatibility — changes format, not entropy
The core principle: A passphrase is only as random as the method used to generate it. If a human makes any choice in the selection process — even with good intentions — entropy is reduced. Use a random generator, then apply any memorability technique you like to the already-generated result.
memorable passwords passphrase password tips cognitive security entropy
For informational purposes only. Password security requirements vary by context — consult your organisation's security policy and current NCSC/NIST guidance for your specific environment.