passwords
The flow of new information we’re bombarded with never ebbs. In 2025, you get less and less room in your head for things like the password for the email account you set up back in 2020 to sign your mom up for that online marketplace. On World Password Day, which falls on May 1 this year, we suggest putting in a little effort to combat poor memory, weak passwords, and cybercrooks.
As our experts have repeatedly proven, it’s only a matter of time — and money — before someone targeting your password cracks it. Often, it takes very little time and money, too. Our mission is to complicate cracking your password as much as possible, so hackers lose any desire to go after your data.
Our study last year found that intelligent algorithms — whether running on a powerful graphics card like the RTX 4090 or on inexpensive leased cloud hardware — can crack 59% of all passwords in the world in under an hour. We’re in the middle of that study’s phase two, and we’re about to share whether the situation has changed for the better over the year, so subscribe to our blog or Telegram channel to be among the first to know.
Today’s conversation covers more than just the most secure authentication methods and ways to make strong passwords. We’ll discuss techniques for remembering passwords, and answer the question of why using a password manager in 2025 is a really good idea.
How to sign in more securely in 2025
There are several options for signing in to online services and websites today:
- The traditional login-and-password combination
- Logging in with a third-party service like Google, Facebook, Apple, etc.
-
Two-factor authentication using one of the following methods for verification:
- SMS one-time code
- Authenticator app like Kaspersky Password Manager, Google Authenticator, or Microsoft Authenticator
- Hardware key like Flipper, YubiKey, or a USB token
- Passkeys and biometric authentication
Naturally, any of these methods can be compromised (for example, by leaving your hardware token sticking out of the USB port of an unattended computer in a public place), or toughened up (for example, by creating a complex password of more than 20 random characters). And so, as the era of traditional passwords isn’t over just yet, let’s try to figure out how we can improve our current standing by coming up with and memorizing an easy-to-remember password.
How do you remember a complex password?
Before answering this question, let’s recall the basic truths about passwords:
- Recommended length: 12–16 characters.
- A password should use different types of characters: numbers, lowercase and uppercase letters, and special characters.
- A password shouldn’t contain personal information easily traced back to the user.
- A password needs to be unique to each of your accounts.
Got it? Good. Now for the key issue: a complex password is easy to forget; a simple one — easy to crack. To help you achieve a balance between the two, we’ve put together some well-known, but still effective rules for creating easy-to-remember passwords.
Basic level
String together some unrelated words like the ones used in seed phrases when registering crypto wallets. And add a couple of numbers and special characters on the end that are meaningful to you but won’t be easily guessed by an attacker.
Example: DryLandStandGift2015;)
Shorter words are easier to remember, and the number shouldn’t be the year you or a loved one was born. It could be any memorable combination, such as the year you first went to Disneyland, the license plate of your first car, or your wedding date.
Advanced level
Think of a favorite line from a song or a memorable quote from a movie, and then replace, say, every second or third letter with special characters that aren’t in sequential order on the keyboard. Using easily accessible special characters (those you see on your phone’s on-screen keyboard in numeric mode) is handier. This is how you can make a strong password that’s quick to type and makes your life easier.
For example, if you’re a fan of the Harry Potter saga, you may try to use the Avada Kedavra spell for a good cause. Let’s try transforming this killing curse according to the rule above while peppering it generously with capital letters: A!ad@Kd$vr%. At first glance, a password like that looks impossible to remember, but all it takes is a little typing practice. Type it up two or three times, and you’ll see your fingers reaching for the right keys by themselves.
How about entrusting password generation to neural networks?
With the recent surge of ChatGPT and other large language models (LLMs), users have started turning to them for passwords. And it’s easy to see why that would be an appealing option: instead of straining to come up with a strong password, you just ask the AI assistant to generate it — with immediate results. And you can ask to make that password mnemonic if you wish to.
Alas, the danger of using AI as a strong password generator is that it creates combinations of characters that only appear random to the human eye. Passwords generated by AI are not as reliable as they may seem at first glance…
Alexey Antonov, Data Science Team Lead at Kaspersky, who conducted the previous password strength study, has generated a thousand passwords with ChatGPT, Llama, and DeepSeek each. It turned out each model knew that a good password consisted of at least a dozen characters, including both uppercase and lowercase letters, numbers, and special characters. However, DeepSeek and Llama sometimes generated passwords consisting of dictionary words, with some letters replaced with similar-looking numbers or symbols, such as B@n@n@7 or S1mP1eL1on. Amusingly, both models seemed to have a soft spot for the Password password, providing such variations as P@ssw0rd, P@ssw0rd!23, P@ssw0rd1, or P@ssw0rdV.
Needless to say, these are not secure passwords, as intelligent brute-forcing algorithms are well aware of the letter substitution trick. ChatGPT does a better job. Here are some examples of what it came up with:
- qLUx@^9Wp#YZ
- LU#@^9WpYqxZ
- YLU@x#Wp9q^Z
- P@zq^XWLY#v9
- v#@LqYXW^9pz
These seem to be completely random sets of letters, special characters, and numbers. However, if you look closely, you can easily find some patterns. Some characters, for example, 9, W, p, x, and L, are used more often than others. We compiled a character frequency histogram for all generated passwords, and here’s what we found: ChatGPT’s favorite letters are x and p, Llama loves the character # and is partial to p too, while DeepSeek is hooked on t and w. Meanwhile, a perfectly random number generator would never favor any particular letter over others, but use every character roughly an equal number of times, making the passwords less predictable.
Frequency of character usage by different language models when generating a thousand passwords. Note that almost every password generated by ChatGPT contains the letters x, p, I, and L.
In addition, LLMs, like humans, often neglect to insert special characters or numbers into passwords. A lack of these symbols was found in 26% of passwords generated by ChatGPT, 32% of those generated by Llama, and 29% by DeepSeek.
Awareness of these specifics can help cybercriminals bruteforce AI-generated passwords significantly faster. We ran the entire set of AI-generated passwords through the same algorithm we used for the previous study, only to find a discouraging trend: 88% of passwords generated by DeepSeek, and 87% by Llama, proved insufficiently secure. ChatGPT came out on top — with only 33% of its passwords insecure.
Sadly, LLMs don’t create a truly random distribution, and their output is predictable. Besides, they can easily generate the same password for you as for other users. So what should we do?
Combined approach
We recommend using our Password Checker service or, better yet, Kaspersky Password Manager, to generate passwords. These two use cryptographically secure generators to make passwords that don’t contain detectable patterns, which guarantees true randomness. After generating a strong password, you can then come up with a mnemonic phrase to remember it.
Let’s say the password generator gives you the following combination: HSVpk*VR0Gkq#R
Then, a phrase to help you remember the password might look like this: In a high-speed vehicle (HSV), you go over a peak (pk) and see a star (*) in virtual reality (VR). Then you fall at zero gravity (0G) and see the king and queen (kq) behind the bars (#) in a big tower shaped like a chess rook (R).
Only mnemonics can help with this, so we hope you like abstract and absurd imagery. You can also try drawing the scene that describes your password as shown above. Few would be able to understand the picture besides you. That’s an easy way to memorize one password. But what if there are hundreds of them?
How about storing passwords in a browser?
Not a good idea. To address the issue of remembering passwords, browser developers provide options to generate and save passwords right in the browsers. This is naturally very convenient: the browser itself fills in the password for you whenever needed. Unfortunately, a browser is not password manager, and storing passwords there is extremely insecure.
The problem is, cybercriminals figured out a long time ago how to use simple scripts to pull passwords stored in browsers in mere seconds. And the way browsers sync data across different devices in the cloud — such as through a Google account — is a disservice to users. All it takes is to hack or trick someone into giving up the password for that account, and all their other passwords are an open book.
Use a password manager
A real password manager stores all passwords in an encrypted vault. For example, Kaspersky Password Manager stores all your passwords in a vault encrypted with the AES-256 symmetric encryption algorithm, used by the U.S. National Security Agency to store state secrets. The algorithm uses a master password, which only you know (even we don’t know it) as the encryption key. Each time Kaspersky Password Manager is accessed, the app requests this password from you and decrypts the vault for the current session. In this same encrypted vault you can also store other important information such as bank card numbers, document scans, or notes.
Kaspersky Password Manager offers other useful features too:
- It can be used to generate unique and truly random password combinations.
- It can fill in your passwords for you both on computers and mobile devices.
- The app is provided for both major mobile platforms as well as macOS and Windows computers; there are also extensions for popular browsers.
- The password database is synchronized across all your devices in encrypted form.
- You can use it instead of Google Authenticator to generate 2FA codes for all your online accounts.
- It checks if your passwords have been leaked or compromised and alerts you if you need to change any of them.
With Kaspersky Password Manager, all you need do is use the methods described above to come up with and remember one master password, which is used to encrypt the password manager vault. Just remember: you’ll have to memorize this password extremely well, because if you lose it you’re back to square one. No one — not even Kaspersky employees — can access your encrypted vault. We don’t know your master password either.
Let’s recap
So how do you properly handle passwords in 2025?
- Follow the guidelines above to come up with a secure master password, and use our Password Checker service to test its cryptographic strength.
- Can’t think of a strong master password? Create one right there, and use mnemonic rules to memorize it.
- Install Kaspersky Password Manager on all your devices. With this app, you only need to remember the master password. The app will remember the rest for you.
- Use passkeys and various two-factor authentication methods wherever possible — preferably through the app. Combining a strong password with secure authentication methods creates a powerful synergy, which significantly enhances protection against unauthorized access to your accounts.
- Most importantly, read Kaspersky Daily to stay safe.
These posts can help you create the strongest passwords and manage them correctly:
Tips