All posts
SecurityJuly 8, 2026 7 min read

How to pick a password you'll actually remember (and can't easily be guessed)

Forget rotating capital letters and dollar signs. Here is what actually makes a password hard to crack, why length beats complexity, and the two-line recipe we use ourselves.

BluebirdBy Priya, Bluebird
BluebirdBluebird

The password advice you probably grew up with — one capital, one number, one special character, minimum eight characters — was written in the mid-2000s. The person who wrote it, a scientist at NIST named Bill Burr, publicly apologised for it in 2017. It turns out that the rules he'd suggested made passwords harder for humans to remember and only marginally harder for computers to guess.

The current best advice is much simpler: length beats complexity. A password of four or five random common words is vastly harder to crack than "P@ssw0rd1!" and vastly easier to remember. This post is about why, and how to actually do it.

Why length wins

A computer guessing passwords doesn't type them one at a time — it tries billions per second. What slows it down is the size of the space it has to search.

An 8-character password using letters, numbers and symbols has about 7 × 10¹⁵ possibilities. A cracking rig with a modern GPU can chew through that in about two hours.

A 5-word passphrase pulled from a list of the 8,000 most common English words has about 3 × 10¹⁹ possibilities — roughly 5,000 times more. The same rig would need over a year of continuous work.

Add a sixth word and you're at more than 2 × 10²³ possibilities. The universe will run out of stars first.

The two-line recipe

Pick four to six ordinary words. Anything — nouns, verbs, colours, animals. Don't try to make them mean something. The more absurd the combination, the easier it is to remember and the harder it is to guess.

"purple lantern hedgehog canoe" is a good one. "correct horse battery staple" is the famous XKCD one that started this whole movement. "biscuit tuesday piano avalanche" would be great, if I hadn't just written it down.

That's it. You don't need special characters. You don't need to swap letters for numbers. Length has already done the work.

Where the rules do still matter

Some old systems still cap passwords at 12 or 16 characters. There, complexity has to make up for the missing length — mix in numbers and symbols the old-fashioned way. Bluebird's Password Generator has a slider that handles both cases.

The one non-negotiable rule: never reuse a password across sites. Not once. When one site gets breached (and they do, constantly), attackers immediately try every leaked email/password pair on every other popular site. That's how a breach at a forum from 2013 empties your bank account in 2026.

The password manager conversation

You can memorise one long passphrase. You cannot memorise a hundred. So use a password manager for everything except two accounts: your email, and the manager itself. Those two are the roots of the tree, and they need to be memorable passphrases you carry in your head.

Any reputable manager will do. Bitwarden is free and open-source. 1Password is polished and paid. Even the built-in one in your browser is a hundred times better than reusing "Summer2024!" across twelve sites.

One test you can run right now

Type your current main password into Bluebird's Password Generator and read the strength estimate. If it says the password would fall in under a day, change it before you close this tab. Length. Words. Manager. That's the whole thing.