You probably already know some obvious password safety tips, like don’t use “password” as your password. But did you know a password like “Ch@ll3ng3r%$” is not much more secure? 

Sure, it mixes upper- and lower-case letters, numbers and special characters, like you’re often advised to do when creating a password for a new account. And yet a hacker could quickly crack it using a dictionary attack (see below). “Challenger” is a common base word, and the modifications are fairly simplistic.

This article will explain how to create a strong password, along with some additional advice on how to keep your passwords secure. But first it’s helpful to understand a bit about how online services use passwords to manage account access and how hackers can steal your credentials.

How hackers steal passwords
3 steps to create strong passwords
Safety tips

How passwords are stored – and stolen

You may be thinking that no hacker would bother targeting you personally, and you’re probably right. The danger is not that a hacker will target you, but rather that your password will be part of a larger data breach(new window). If you use a weak password, hackers can extract it from even a cryptographically secured database along with all the other weak passwords.

Therefore, your goal is to create a password that will be difficult for a hacker with a powerful computer to crack, while also being simple enough to memorize.

A password is a way to confirm a user has permission to access an account or device. When you create a new account with an online service, the password you create is passed through a special algorithm (a cryptographic hash function(new window)) and converted into a seemingly random string of letters and numbers, known as a hash. That way, if the user database is ever leaked or breached, plaintext passwords are not exposed. The next time you enter your password to log in to your account, the password is again converted to a hash and compared to the hash in the database. If it matches, you get access to your account.

Data breaches(new window) have become common, and hackers often get their hands on a big database of hashes. To convert the hashes to plaintext passwords, all they have to do is run different passwords through the hash function and see if the hashes match. A powerful computer can test billions of character combinations per second. 

Attack methods

One method, called a brute force attack, tries every possible combination of characters, starting with “0000000”, “0000001”, and so on. This process is slow, but perhaps not as slow as you’d think. The shorter the password, and the fewer types of characters, the less time it takes to brute force.

Another method, called a dictionary attack(new window), saves time by trying common words, character substitutions (e.g., “3” instead of “E”), numbers, and combinations (e.g., a pet name plus a six-digit date). Dictionary attacks can be programmed to anticipate a large number of variations. Thus, even a password like “Pr0tonmai1#%$” is relatively predictable and could conceivably be hacked.

Other common attack methods depend on tricking you into giving away your password or getting you to install keylogging malware on your device. Learn about how to prevent phishing attacks.(new window)

How to create a strong password

You will never create a sufficient variety of passwords for all your accounts that are both memorable for you and strong enough to prevent it from being hacked. 

Therefore, the best solution is to use an encrypted password manager to create unique, randomly generated passwords.

Here’s our recommendation:

  • Step 1: Sign up for and download a reputable, end-to-end encrypted password manager. Proton Pass is open source and allows you to generate passwords and even email aliases so your usernames are also secure.
  • Step 2: Use your password manager to generate unique, random passwords for each of your accounts. The default length and character mix are sufficient, but you can make your passwords longer if you wish.
  • Step 3: For your password manager and any passwords you must memorize, we recommend using a passphrase. You can read all about passphrases(new window) in our previous article. Generally, you should use four or five random, uncommon words.

A few final tips

Never reuse a password across multiple accounts. If your password is somehow exposed (perhaps in a phishing attack(new window), social engineering, keylogger, etc.), the attacker could then attempt to enter your credentials to log in to other services. This is one reason it is imperative to use two-factor authentication(new window), especially for your most sensitive accounts, such as banking, social media, and email. 2FA for your email account is especially important because email is used to reset other passwords.

Depending on your threat model(new window), it may or may not be a good idea to write down your passwords. There are smart ways to keep your password diary safe(new window).

A better place to store passwords is in a trusted password manager. Proton Pass lets you generate unlimited strong passwords and stores them with end-to-end encryption, meaning only you can access them. 

You can learn more about our password manager in this video:


What is the strongest password I can use?

The strongest password will be at least 12 characters long, with a random mix of upper-case and lower-case letters, numbers, and special characters. However, these kinds of passwords are difficult to remember, which is why it’s important to use a password manager. We recommend using a passphrase(new window) to secure your password manager.

What are three things that make a strong password?

If you’re using a password, it should be random and long. Proton Pass defaults to 16 characters. If you’re using a passphrase, the important thing is that it contains at least four random words, as illustrated here(new window).

Should I use a password generator?

You should only use a password generator inside your password manager app. This ensures your password is end-to-end encrypted so that only you can see it. To generate passwords in Proton Pass, create a free Proton Account and follow the instructions to use Proton Pass for web(new window).

Schütze deine Privatsphäre mit Proton
Kostenloses Konto erstellen

Verwandte Artikel

proton scribe
Die meisten von uns schicken täglich E-Mails. Die richtigen Worte und den passenden Ton zu finden, kann jedoch viel Zeit in Anspruch nehmen. Heute stellen wir Proton Scribe vor, einen intelligenten, datenschutzorientierten Schreibassistenten, der dir
Menschen und Unternehmen unterliegen in der Regel den Gesetzen des Landes und der Stadt, in der sie sich befinden, und diese Gesetze können sich ändern, wenn sie an einen neuen Ort ziehen. Die Situation wird jedoch komplizierter, wenn man Daten betra
Deine Online-Daten werden nicht mehr nur für Werbung verwendet, sondern auch für KI-Training. Google nutzt öffentlich zugängliche Informationen, um seine KI-Modelle zu trainieren, was Bedenken aufwirft, ob KI überhaupt mit Datenschutzgesetzen vereinb
Das iPhone speichert Passwörter im iCloud-Schlüsselbund, Apples integriertem Passwort-Manager. Es ist praktisch, hat aber einige Nachteile. Ein großes Problem ist, dass es nicht gut mit anderen Plattformen funktioniert, was es für Apple-Nutzer schwie
Es gibt viele Gründe, warum du Passwörter, Bankdaten und andere hochsensible Informationen teilen musst. Aber wir haben festgestellt, dass viele dies über Messaging-Apps oder andere Methoden tun, die deine Daten gefährden. Als Antwort auf die Bedürf
Große Sprachmodelle (LLMs), die auf öffentlichen Datensätzen trainiert wurden, können viele Zwecke erfüllen, von der Erstellung von Blogposts bis hin zur Programmierung. Ihr wahres Potenzial liegt jedoch in der Kontextualisierung, die entweder durch