What makes a password memorable has little to do with the password itself, but rather how it is used. If you use a password a lot, you will have memorized it within a week or two, regardless of how it was generated.

I have a couple of passwords which I use frequently, for things like logging into my workstation and my password manager. These are generated randomly, and I memorize them. When I change them (which is very infrequently) I keep a written copy to hand until I have memorized them, and I keep a written copy in a safe place. Everything else my password manager remembers for me.

My memorized passwords do not have to obey other people’s rules about character selection, so I can tune them to be easier to type: they are only lower case letters. This makes it more reasonable to use a long password even on my phone where FaceID’s unreliability means I have to type it more than I would like.

My current passwords are 16 letters (75 bits, more than enough), which I wrote down as 4 groups of 4. The 4x4 rhythm helped with memorising. I found I remembered the groups first, then it was a matter of remembering the right groups in the right order in each password.

For the sake of completeness here are a few word-based passphrase techniques (I’ve not used myself any of these), although I question how easily memorable they are:

• EFF’s word list – see https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases, an alternative word list to the original DiceWare method;
• mnemonic – see https://github.com/singpolyma/mnemonicode, another alternative word list; (the original was lost to the internet bit rot;)
• BIP0039 – https://en.bitcoin.it/wiki/BIP_0039; (mainly for long-term storage of seeds, thus perhaps not tailored for memorization;)
• S/KEY – https://en.wikipedia.org/wiki/S/KEY; (used for one-time-passwords, but it does have a standard word list;)
• PGP (PGPphone) – https://en.wikipedia.org/wiki/PGP_word_list; (used for verbally checking fingerprints; again perhaps not very memorable;)

Then I’ve found two other techniques that can generate passwords (I’ve not used this myself):

• Proquint – see https://github.com/dsw/proquint/blob/master/proquint-proposal.txt; (mainly used for binary encoding, although if you encode random bits you get passwords; it looks quite pronounceable;)
• Koremutake – see https://shorl.com/koremutake.php; (focused on pronounceable passwords;)

Myself, I’m using (for more than 15 years now) exclusively passwords with the following pattern cvcv cvcv cvcv cvcv (where c stands for consonant and v for vowel); for example:

>> z-tokens generate -c 10

xufu fuso kozo sosu
wele gapu lihu woyo
vole peju huho macu
qogu lesa taxu ziko
zupi wewo keru lihe
mepu buka juco rife
sofu yaqi hapo paxi
doso yemu saho vadi
neno juju vuve yaqe
zewa tozo toto zeyu

They have 53 bits of entropy (each “word” has exactly 10k variants), which is good enough for online authentication. They are also (somewhat) easily pronounceable and after a bit of practice they are definitively remediable.

If any site is “picky” and wants upper letters, digits or symbols, I just change the last word to upper-case, or replace it with CVds where d is a digit and s is a symbol.

And last, as shameless self-promotion, I’ve submitted a few days ago to this community my own password generator z-tokens. But I really want to find out what other techniques people are finding usable.

For passwords that I need to remember (that won’t go in my password manager), I use a 7-word passphrase generated with diceware using the EFF’s word list.

I made an app to generate easy to memorize strong passwords: https://ezmempass.ihsan.io/. It is free on Android and IOS.

I can memorize 10-word passwords (100 bits of entropy) with 5 days on more-than-once-daily usage. I only have a few such passwords, for my password manager and email.

I’ve posted an extensive comment about this topic here: https://lobste.rs/s/li7v9e/let_s_settle_password_vs_passphrase#c_outuax

I just use high-entropy passwords (random characters). It works fine for me. The procedure I use to memorize it, and to be sure that I have actually memorized it and will be able to recall it under a variety of conditions, has far more effect than what kind of password it is.

My own memorization techniques would be unlikely to work for others because they’re based on my observations about how my brain stores things.

The question does ask what works for me, so I’ll give some detail anyway. In particular, for me the phonetic representation and the written representation go together and I need to make sure both are correct in my mental recitals, and that both have all the information about the other. So for example I silently say “capital Z” to myself while reading a password I intend to memorize, not just “z” with a sense of emphasis, because the latter risks being unable to remember whether the emphasis meant it was capitalized, or where it went in the string… that sense-of-emphasis isn’t itself phonetic so it gets misplaced in my memory.

Passwords based on word lists would be dramatically harder for me because there’s too much risk I’d apply thought-tools meant for other contexts, contexts where precision isn’t as important.

I have a bunch of other little observations about my memory, but I’ve looked into the research and have every reason to expect they’re mostly specific to me, so I’ll stop there. My advice to others would be to study how YOUR memory works, and keep track of what helps and what doesn’t. When you find yourself making an error, ask what caused it and what could have prevented it.

I built an implementation of Diceware for my password generator app which in my experience generates fairly memorable passwords.

I’ve thought about questions related to this for quite a while!

A few years ago I used Google Books data to create a few word lists of common words from books, based on the assumption that those words would be generally easy-to-remember. I even made one for 1Password to consider using and a few other lists optimized for inputting on TVs.

I also became very interested in methods for making a word list uniquely decodable, a property that allows users to safely combine words without a delimiter (like “dispatchentertainfastnessbarbecueneutronmascot”). I ended up using a modified Sardinas–Patterson algorithm to make lists uniquely decodable with minimal word cuts.

Lastly, I’ll link to a Rust tool I wrote to help me work with word lists which might be of interest to readers of this thread. I also listed a bunch of word lists in the README.

For a short, memorizable password to be typed frequently: possibly the correct-horse-battery-staple scheme in xkcd.com/936. Personally, however, I don’t recommend or use this scheme for memorization. My passwords are in a password manager; the master password for the password manager is the only one I memorize—and even it can be salvaged using other methods besides solely memory.

For a longer, not-often-typed passphrase that does not have to be wholly memorized: a sentence from a book. You would then only have to remember the book’s name and a keyword/chapter number [*], using which you can later retrieve the sentence from a copy of the book (you will know when you come across the exact sentence as you browse the chapter). If the passphrase is particularly important, you may want to write the book’s name and chapter number in a notebook, or make a habit of recalling the detail every morning when you wake up.

It’s also worth differentiating between memorizable and memorable, as I see it: the first scheme in my comment makes a memorizable password; the second scheme makes a memorable password. I think memorizing is an ultimately unreliable exercise. Having something be memorable isn’t.

[*] ideally the book is a non-translated work, otherwise you may have to remember the translator

Diceware, with the EFF word list. The one with 6**5 = 7,776 entries.

I honestly only remember my passwords for logging into League of Legends, the rest I just use a manager &/ don’t type that much.