The average person has over 100 online accounts. Reusing passwords across sites means one data breach compromises everything. But remembering 100 unique, complex passwords is impossible without help. The good news: there are proven techniques for creating passwords that are both secure and memorable, and modern tools make managing them effortless.
What Makes a Password Secure?
Password strength comes down to two factors: length and entropy (randomness). A 12-character password with mixed case, numbers, and symbols has roughly 78 bits of entropy — enough to resist brute-force attacks for centuries. A 4-character PIN has about 13 bits — crackable in minutes.
Here is what an attacker faces when trying to crack a password:
| Password | Characters | Time to crack (offline) |
|---|---|---|
| 1234 | 4 | Instant |
| password | 8 | Seconds |
| P@ssw0rd! | 9 | Minutes to hours |
| correct-horse-battery-staple | 28 | Centuries |
| kX9#mP2$vL8nQ | 13 | Centuries |
The takeaway: length beats complexity. A long passphrase with common words is far more secure than a short password with special characters.
Technique 1: The Passphrase Method
The most effective approach for human-memorable passwords is the Diceware passphrase. Here is how it works:
- Pick 5–7 random words from a word list. You can use a physical word list, a random word generator, or the ToolShack Password Generator.
- String them together with a separator:
river-candle-piano-fortress-7. - Optionally, capitalize one word and add a number:
River-candle-piano-fortress-7.
This produces a password like river-candle-piano-fortress-7 — 31 characters long, easy to remember (picture a river with a candle on a piano in a fortress), and impossible to brute-force. The Electronic Frontier Foundation's Diceware method uses a list of 7,776 words, giving each word about 12.9 bits of entropy. Five words = 64.6 bits, six words = 77.5 bits, seven words = 90.3 bits.
Technique 2: The Sentence Method
Take a memorable sentence and use the first letter of each word, mixing in numbers and symbols:
Sentence: "I moved to San Francisco in 2019 and loved it!"
Password: Im2SFi2019&li!
This produces a 18-character password that is random-looking but tied to a personal memory. The sentence should be something unique to you — not a famous quote or song lyric, which are in cracking dictionaries.
Technique 3: Random Generation
For accounts where you do not need to remember the password (or where you will store it in a password manager), use a true random generator. The ToolShack Password Generator creates passwords with configurable length, character sets, and exclusions:
- 16+ characters with mixed case, numbers, and symbols for maximum security.
- Exclude ambiguous characters (0/O, 1/l/I) if you need to type the password manually.
- Generate in bulk — create 10 passwords at once and pick the one you like best.
Why You Need a Password Manager
Even with the best techniques, managing 100+ unique passwords is impossible without a tool. A password manager does the heavy lifting:
- Stores all your passwords in an encrypted vault protected by a single master password.
- Generates unique passwords for every account — you never reuse a password.
- Auto-fills credentials on websites and apps, so you never type passwords manually.
- Alerts you to breaches — services like 1Password and Bitwarden notify you if an account is compromised.
The investment in a password manager (many are free or under $3/month) is the single most impactful security improvement you can make. Your master password — the one password you must remember — should be a strong passphrase using the techniques above.
Common Password Mistakes
Reusing passwords across sites. If LinkedIn gets breached (which it has), attackers try the same password on your email, bank, and social media.
Using personal information. Birthdates, pet names, and addresses are the first things attackers try. They can find this information on your social media in seconds.
Writing passwords on sticky notes or in unencrypted files. If someone has physical access to your desk or computer, they have your passwords.
Changing passwords on a fixed schedule. NIST's current guidance recommends changing passwords only when there is evidence of compromise, not on arbitrary schedules.
Quick Password Strength Checklist
- At least 16 characters long (20+ is better)
- Unique — not used on any other account
- Not based on personal information
- Stored in a password manager, not in plain text
- Protected by two-factor authentication (2FA) where available
Conclusion
Strong passwords do not need to be complicated or impossible to remember. The passphrase technique — five or six random words — produces passwords that are both secure and memorable. For everything else, a password manager generates and stores unique credentials so you never have to reuse a password again. Start with the ToolShack Password Generator to create your first batch of secure passwords, and pair it with a password manager for long-term security.