The influx of new information that we constantly face never slows down. By 2025, the space in your mind for details like the password to that email account you created in 2020 for your mom’s online marketplace registration is shrinking. On World Password Day, which occurs on May 1 this year, we recommend taking some time to address issues related to memory, weak passwords, and cybercriminals.
Our experts have consistently demonstrated that it’s just a matter of time — and resources — before someone can crack your password. It often doesn’t require much time or money, either. Our goal is to make it as difficult as possible for hackers to decipher your password, discouraging them from attempting to access your data.
Last year’s study indicated that advanced algorithms — whether operating on a high-performance graphics card or affordable cloud hardware — can breach 59% of all global passwords in under an hour. We’re currently in the second phase of that study and will soon reveal whether things have improved this past year, so subscribe to our blog or Telegram channel to be among the first to find out.
Today’s discussion will extend beyond just the best authentication methods and strategies for creating strong passwords. We will also explore methods for remembering passwords and discuss why utilizing a password manager in 2025 is a sound strategy.
Signing in securely in 2025
There are a variety of methods available for signing into online services and websites today:
- The conventional username and password combination
- Logging in through a third-party service like Google, Facebook, or Apple
- Two-factor authentication using one of the following verification methods:
- SMS one-time codes
- Authenticator apps like Kaspersky Password Manager, Google Authenticator, or Microsoft Authenticator
- Hardware keys like Flipper, YubiKey, or USB tokens
- Passkeys and biometric authentication
- Naturally, any of these approaches can be compromised (for instance, by leaving your hardware token plugged into an unattended computer in a public area) or strengthened (for example, by creating a complex password exceeding 20 random characters). Thus, as the time of traditional passwords isn’t concluded just yet, let’s work on enhancing our current approach by devising and memorizing an easy-to-remember password.
What are some strategies for recalling a complex password?
Before diving into that question, let’s review some fundamental truths about passwords:
- Recommended length: 12–16 characters.
- A password should incorporate various character types: numbers, lowercase and uppercase letters, and special characters.
- A password must not contain personal details that can be easily linked to the user.
- Each password needs to be unique to every one of your accounts.
- Understood? Great. Now let’s address the crucial point: a complex password is difficult to recall; a simple one — easily cracked. To strike a balance between the two, we’ve assembled some familiar, yet effective, guidelines for creating easy-to-remember passwords.
Basic level
Combine some unrelated words much like the ones used in seed phrases for crypto wallet registration. Then add a few numbers and special characters at the end that hold personal significance but aren’t easily guessed by an attacker.
For instance: DryLandStandGift2015;)
Shorter words tend to be easier to remember, and the number shouldn’t reflect the birth year of you or a loved one. It could be any memorable set, such as the year of your first trip to Disneyland, the license plate of your first car, or your wedding anniversary.
Advanced level
Consider a favorite lyric from a song or a well-known quote from a film, then substitute, say, every second or third letter with random special characters that don’t follow a sequential pattern on the keyboard. Using commonly accessible special characters (the ones visible on your phone’s on-screen keyboard in numeric mode) is more convenient. By doing this, you can construct a strong password that’s quick to input and simplifies your life.
For example, if you’re a fan of the Harry Potter series, you might use the Wingardium Leviosa charm for a good cause. Let’s transform this levitation charm according to the previous guideline while generously sprinkling it with special characters:
Wi4ga/di0mL&vi@sa
At first glance, a password like this may seem hard to remember, but with a little typing practice, it becomes manageable. Type it a couple of times, and you’ll find your fingers instinctively reaching for the correct keys.
How about relying on neural networks for generating passwords?
With the recent rise of ChatGPT and other large language models (LLMs), individuals have started to use them for creating passwords. It’s easy to understand why this might be an attractive choice: instead of struggling to invent a strong password, you simply request it from the AI assistant — with quick results. Plus, you can ask for the password to be mnemonic if you prefer.
Unfortunately, the risk of using AI as a reliable password generator is that it produces character combinations that only seem random to humans. Passwords generated by AI might not be as trustworthy as they first appear…
Alexey Antonov, who leads the Data Science Team at Kaspersky and previously studied password strength, generated a thousand passwords using ChatGPT, Llama, and DeepSeek each. It was revealed that each model recognized that a good password should have a minimum of a dozen characters, including both uppercase and lowercase letters, digits, and special symbols. However, at times, DeepSeek and Llama produced passwords that contained dictionary words, substituting some letters with similar-looking numbers or symbols, like B@n@n@7 or S1mP1eL1on. Interestingly, both models seemed to prefer variations of the Password password, resulting in alternatives such as P@ssw0rd, P@ssw0rd!23, P@ssw0rd1, or P@ssw0rdV. It goes without saying that these passwords are not secure, as intelligent brute-force algorithms are well aware of the letter substitution tactic.
These appear to be entirely random sequences of letters, special characters, and numbers. However, upon closer inspection, one can identify certain patterns. For instance, some characters, specifically 9, W, p, x, and L, are used more frequently than others. We created a character frequency histogram for all the generated passwords, and here’s what we discovered: ChatGPT tends to favor the letters x and p; Llama shows an affinity for the character # and also likes p; while DeepSeek seems to favor t and w. In contrast, a truly random number generator would never show a preference for specific letters over others, instead using every character approximately the same number of times, which would make the passwords less predictable.
Additionally, LLMs, like people, often fail to include special characters or numbers in their passwords. This absence of symbols was observed in 26% of the passwords created by ChatGPT, 32% generated by Llama, and 29% by DeepSeek.
Understanding these nuances can enable cybercriminals to brute-force AI-generated passwords more rapidly. We processed the entire collection of AI-generated passwords through the same algorithm utilized in the prior study, only to find an unsettling trend: 88% of the passwords produced by DeepSeek and 87% by Llama were deemed inadequately secure. ChatGPT performed better, with only 33% of its passwords identified as insecure.
Regrettably, LLMs do not produce a genuinely random distribution, and their outputs are predictable. Moreover, they can easily generate the same password for multiple users. So, what should be our course of action?
A combined strategy is advisable.
We propose the use of our Password Checker service or, ideally, Kaspersky Password Manager, to generate passwords. These tools utilize cryptographically secure generators to create passwords that lack identifiable patterns, ensuring true randomness. After generating a strong password, you can then devise a mnemonic phrase to aid in remembering it.
For example, if the password generator presents you with this combination:
HSVpk*VR0Gkq#WwJ
You could create a phrase to help recall the password, such as: In a high-speed vehicle (HSV), you go over a peak (pk) and observe a star (*) in virtual reality (VR). Following that, you experience zero gravity (0G) and encounter the king and queen (kq) behind bars (#) in the White witch’s jail (WwJ).
Only mnemonics can assist with this process, so we hope you enjoy using abstract and whimsical imagery. You might also consider sketching the scene that illustrates your password as described above. Few would be able to decipher the image except for you, making it an easy strategy for memorizing a single password. But what if you have hundreds of them?
Using a browser to store passwords?
That’s not advisable. To tackle the challenge of remembering passwords, browser developers offer functionalities to generate and save passwords directly in the browsers. This is undoubtedly convenient: the browser automatically fills in the password for you when required. Sadly, a browser does not equate to a password manager, and saving passwords there is highly insecure.
The issue is that cybercriminals discovered long ago how to utilize simple scripts to extract passwords stored in browsers in mere moments. Furthermore, the method browsers employ to sync data across various devices via the cloud — such as through a Google account — is detrimental to users. All it requires is for someone to hack or deceive a user into revealing the password for that account, and all other passwords become easily accessible.
Leave a Reply