Passphrases Made Easy: Strong Passwords You Can Actually Remember
The short answer: a passphrase is simply a few random everyday words joined together — like maple-river-cocoa-lantern. It is far harder for a computer to guess than a typical "complex" password, and far easier for you to remember. For most accounts, four random words is plenty.
If that's all you needed, go ahead and make one now. But if you'd like to understand why this works — and how to remember your new passphrase without writing it on a sticky note — stay with me. It only takes a few minutes, and I promise to keep it jargon-free.
Why the old advice let us down
For two decades we were told to make passwords "complex": mix upper and lower case, throw in a number, add a symbol. It sounded sensible. The problem is that humans are wonderfully predictable. Faced with that rule, almost everyone does the same handful of things: a capital letter at the front, a number at the end, an exclamation mark for good measure. spring becomes Spring1!.
Attackers know every one of these habits. The tools they use to guess passwords are built around exactly these patterns. So the "complex" password ends up hard for you to recall but easy for a machine to crack. That's the worst of both worlds.
What makes a passphrase strong
Here's the single idea that matters: a password's strength comes from how many possible combinations an attacker would have to try. The more possibilities, the longer any guessing attack takes — quickly reaching numbers so large that no computer on Earth could finish in your lifetime.
And the fastest way to add possibilities is length. Every extra character multiplies the total. A passphrase gives you length cheaply: instead of memorising twelve random characters, you remember four ordinary words you can picture in your head.
The numbers, gently: our generator draws from a list of more than 300 friendly words. Picking four at random gives over a trillion-trillion (that's a 1 followed by 25 zeros, roughly) possible passphrases. Add a fifth word and you multiply that figure by another few hundred. That is comfortably beyond what any attacker can brute-force.
How to build a good one
You can do this by hand with dice and a word list, but the easiest route is to use a generator that picks the words randomly for you. Randomness is the secret ingredient — words you choose tend to be predictable (your pet's name, a favourite team), and predictable is weak.
A simple recipe
- Start with four words for everyday accounts. Bump to five or six for email, banking and your password manager.
- Keep the words random. Let the tool choose; don't swap in your own meaningful words.
- Add one number or symbol only if a site demands it. It satisfies the rule and adds a little strength — but a whole extra word does far more.
- Use a different passphrase for each important account. This is the big one. Reuse is how a single breach turns into many.
Our passphrase generator does all of this for you, shows a live strength rating, and never sends your passphrase anywhere — it all happens inside your browser.
The bit everyone worries about: remembering it
This is where passphrases quietly shine. Random characters have nothing to hold on to in memory. Words do. The trick is to turn your four words into a tiny, vivid scene.
Say your passphrase is otter-candle-harbor-pebble. Picture an otter holding a candle, floating into a harbour, balancing on a pebble. The sillier and more colourful the image, the better it sticks. Say it out loud once or twice. Within a day or two you'll find you just know it.
Honest tip: you only need to truly memorise two or three passphrases — the ones for your email and your password manager. Let the password manager remember everything else. That's not cheating; it's exactly how security professionals do it.
Passphrases and password managers: the dream team
A password manager is an app that stores all your logins in one encrypted vault, locked behind a single master password. If you make that master password a strong passphrase — say six random words — you get the best of everything: one memorable key, and unique strong passwords for every site without having to recall any of them.
Worried about trusting a generator or a manager with something so important? That's a fair question, and I answer it fully in Are Online Password Generators Safe?. And if a site you use ever gets breached, my calm action plan walks you through exactly what to do.
Your next step
Don't overthink it. Open the generator, make a four-word passphrase, picture the little scene, and use it on one account today. Tomorrow, do another. Small steps add up to a much safer online life — no panic required.
Frequently asked questions
How many words should a passphrase have?
Four random words is a strong everyday default. For your most important accounts — email, banking and your password manager — use five or six words.
Is a passphrase really stronger than a complex password?
Yes. Strength comes from the number of possible combinations, and length increases that far faster than swapping letters for symbols. Four random words from a large list is both stronger and easier to remember than a typical complex password.
Should I add numbers or symbols to my passphrase?
Often a site requires one, so adding a single number or symbol is fine and adds a little extra strength. But adding another whole word does far more good than sprinkling symbols throughout.
Can I reuse the same passphrase on several sites?
No. Use a unique passphrase for each important account. If one site is breached, reuse lets attackers walk straight into your other accounts. A password manager makes this painless.
How do I remember a passphrase?
Turn the words into a quick mental picture or a silly little story, and say it aloud a couple of times. Vivid images stick in memory far better than random characters.