How to make strong passwords you will actually remember

A kind, practical walk-through: why passwords matter, the two rules that beat any cracker, and the one tool that eliminates the problem for good.

  • All
  • 6 min read
  • Easy
  • Updated April 15, 2026

The problem in one paragraph

Hackers don’t guess your password by trying a few things. They buy a list of every password ever leaked (there are billions floating around), and a computer tries all of them against your email in about one second. If your password is on one of those lists, they’re in.

The two rules

  1. Never use the same password twice. If one site gets hacked, every site you reused that password on is now compromised too.
  2. Make each password at least 16 characters. Length beats complexity every time. purple-garden-tractor-69 is far harder to crack than P@ssw0rd!.

The free fix: a password manager

You can’t remember dozens of 16-character passwords. Nobody can. That’s what a password manager is for: it remembers them for you. You only need to remember one master password.

Good free choices:

  • Bitwarden — free forever, works on every device. Our pick.
  • Apple Passwords — built into every Apple device.
  • Google Password Manager — built into Chrome.

Turn on two-factor authentication

“Two-factor” means you need a password plus a second thing (a code sent to your phone, or a tap in an app). Even if a hacker learns your password, they still can’t get in without your phone.

Every major site supports it. Go to your account settings and search for two-factor, 2FA, or login verification. Turn it on wherever you can.

What to do if you’ve been hacked

Signs: your friends get weird emails from you, your bank calls about a transaction you didn’t make, or you can’t log into an account you used yesterday.

  1. From a different device, change the password on the compromised account.
  2. Turn on two-factor authentication right away.
  3. Check your bank and credit card statements for the last 30 days.
  4. Consider a credit freeze at all three bureaus (Equifax, Experian, TransUnion) — it’s free and prevents anyone from opening new credit in your name.
  5. Report it at identitytheft.gov.

What’s next

Now that you’re more secure, read our spot a phishing email guide so hackers have a harder time tricking you into handing your new passwords over.

Keep going

Or see every guide