PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

The Passphrase Method: The Simple Trick to Creating Unhackable Passwords You’ll Actually Remember

Tired of forgetting passwords or reusing weak ones? The passphrase approach makes strong security easy to remember—and harder to crack.

Neil J. Rubenking
 & Neil J. Rubenking Principal Writer, Security

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS
(Credit: René Ramos; Jakub Krechowicz/Shutterstock.com)

Passwords are everywhere. It's true that passkeys are becoming more widespread, but they're far from universal. You still need to remember dozens or hundreds of passwords. If you use a simple, easy-to-remember password, a malefactor might crack it using a dictionary attack or simply learn it by peeking over your shoulder as you log in. If you carefully memorize a complex password like 2a(&K5xq1S8*7-hO (generated for me just now by my handmade password generator) and then use it on every site, a security breach at one site could expose all of your other accounts. Since remembering a different, strong, and complex password for every site is just not possible, what can you do? Try this trick of using passphrases instead of plain old passwords, that's what.

Turn a Sentence Into a Secure, Memorable Password

One way to create a password you can remember is to start with a memorable phrase and boil it down using some simple rules. The phrase "'Do I feel lucky?' Well, do ya, punk?" could become 'DIfl?'W,dy,p?. Or you might take a word you can remember and replace letters with leetspeak equivalents.

The wags who write the xkcd webcomic ridiculed the latter approach, advising that you instead combine random common words to get a long password like CorrectHorseBatteryStaple, and then come up with a story that links those words. "Long password" is the key concept here—the longer the password, the tougher it is to crack. Instead of boiling down a memorable phrase, consider using the phrase in its entirety.

How to Create a Passphrase

A passphrase is simply a phrase or sentence that you use instead of a word or set of characters. Most password systems don't allow the space character, so you'll typically capitalize the first letter of each word instead or insert a punctuation mark, such as a dash between words. The key to creating a strong passphrase for a given website is to use something meaningful to you that wouldn't be easily guessed.

Suppose you want to create a passphrase for the Bank of America website. If you have a historical bent, you might use something like A.P.GianinniFoundedTheBankOfItalyIn1904. That's plenty strong; it has uppercase and lowercase letters, digits, and special characters. Did you notice my sly tweak? I tend to misspell Giannini, so even if clever hackers somehow guessed my passphrase, that misspelling might throw them off.

Recommended by Our Editors

How We Test Password Managers
How We Test Password Managers
Still Using Passwords? It's Time to Upgrade to Passkeys Now
Still Using Passwords? It's Time to Upgrade to Passkeys Now
Don't Let Your Passwords Die With You. Here's How to Share Account Access Safely
Don't Let Your Passwords Die With You. Here's How to Share Account Access Safely

Maybe your association is the sculpture nicknamed "The Banker's Heart" outside what used to be the Bank of America Center in San Francisco. OK, how about TheBanker'sHeart@555CaliforniaStreet as a passphrase? The point is to use a phrase describing something that you associate with the site, and to use as lengthy a phrase as you can bear to type.

As I mentioned earlier, the strongest password in the world isn't secure if you use it for every one of your secure sites. You do need to come up with a different one for each site. Maybe you regularly use PayPal to pay the kid down the block for mowing your lawn. Your PayPal password could be something like KeepItTrimmed,Kid,AndI'llGiveYou$$. See? It's not so hard.

When Passphrases Don't Fit

Occasionally, you'll find a site whose password length limit makes it tough to use a passphrase. In that case, you might consider boiling the passphrase down to the first letter of each word, retaining any digits or special characters. And, of course, you still have to stay alert to phishing sites. If the page looks like PayPal but the Address Bar shows www.pyapal.gotcha.ru or some such, get out of there fast! The strength of your password is irrelevant if you give it away to fraudsters by entering it at a phishing site.

For an accomplished typist, typing in a passphrase on the keyboard is almost effortless. However, entering that same passphrase on a smartphone or tablet will be supremely difficult. One possible solution is to install a cross-device password manager and use a passphrase as your master password to unlock all your other passwords.

There are many paths to password perfection. Some may prefer to rely on a password manager to generate and manage strong passwords. For others, the passphrase solution offers a dandy balance: easy to remember and tough to crack.

About Our Expert

Neil J. Rubenking

Neil J. Rubenking

Principal Writer, Security

My Experience

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way, I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.

In the early 2000s, I turned my focus to security and the growing antivirus industry. After years of working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.

The Technology I Use

Much of the testing I do, particularly testing with real-world ransomware, is just plain dangerous. To perform such tests safely, I sequester them inside virtual machines managed by VMWare Workstation. For cross-platform testing, I use a MacBook Air, a Google Pixel 4, and a 6th-generation iPad.

I rely on my Delphi coding skills to create and maintain small applications. These include programs to check whether an antivirus correctly handled the malware it detected, launch dangerous URLs and record the security program’s reaction, and analyze the malware that I collect for use in testing. I also wrote a tiny browser and text editor for use in testing security apps that have predefined reactions for known products.

I do my writing and research on a Dell OptiPlex desktop, relying on Microsoft Word (my fingers know all the shortcuts). Many of my articles include charts and analysis; Excel is my go-to for those. When work hours end, though, I escape the bounds of Microsoft and Windows. There’s an iPhone in my pocket, I relax with my oversized iPad, and my Kindle Oasis is always loaded with the best science fiction and fantasy.

Read the latest from Neil J. Rubenking

Read full bio