You probably already know some obvious password safety tips, like don’t use “password” as your password. But did you know a password like “Ch@ll3ng3r%$” is not much more secure? 

Sure, it mixes upper- and lower-case letters, numbers and special characters, like you’re often advised to do when creating a password for a new account. And yet a hacker could quickly crack it using a dictionary attack (see below). “Challenger” is a common base word, and the modifications are fairly simplistic.

This article will explain how to create a strong password, along with some additional advice on how to keep your passwords secure. But first it’s helpful to understand a bit about how online services use passwords to manage account access and how hackers can steal your credentials.

How hackers steal passwords
3 steps to create strong passwords
Safety tips

How passwords are stored – and stolen

You may be thinking that no hacker would bother targeting you personally, and you’re probably right. The danger is not that a hacker will target you, but rather that your password will be part of a larger data breach(new window). If you use a weak password, hackers can extract it from even a cryptographically secured database along with all the other weak passwords.

Therefore, your goal is to create a password that will be difficult for a hacker with a powerful computer to crack, while also being simple enough to memorize.

A password is a way to confirm a user has permission to access an account or device. When you create a new account with an online service, the password you create is passed through a special algorithm (a cryptographic hash function(new window)) and converted into a seemingly random string of letters and numbers, known as a hash. That way, if the user database is ever leaked or breached, plaintext passwords are not exposed. The next time you enter your password to log in to your account, the password is again converted to a hash and compared to the hash in the database. If it matches, you get access to your account.

Data breaches(new window) have become common, and hackers often get their hands on a big database of hashes. To convert the hashes to plaintext passwords, all they have to do is run different passwords through the hash function and see if the hashes match. A powerful computer can test billions of character combinations per second. 

Attack methods

One method, called a brute force attack, tries every possible combination of characters, starting with “0000000”, “0000001”, and so on. This process is slow, but perhaps not as slow as you’d think. The shorter the password, and the fewer types of characters, the less time it takes to brute force.

Another method, called a dictionary attack(new window), saves time by trying common words, character substitutions (e.g., “3” instead of “E”), numbers, and combinations (e.g., a pet name plus a six-digit date). Dictionary attacks can be programmed to anticipate a large number of variations. Thus, even a password like “Pr0tonmai1#%$” is relatively predictable and could conceivably be hacked.

Other common attack methods depend on tricking you into giving away your password or getting you to install keylogging malware on your device. Learn about how to prevent phishing attacks.(new window)

How to create a strong password

You will never create a sufficient variety of passwords for all your accounts that are both memorable for you and strong enough to prevent it from being hacked. 

Therefore, the best solution is to use an encrypted password manager to create unique, randomly generated passwords.

Here’s our recommendation:

  • Step 1: Sign up for and download a reputable, end-to-end encrypted password manager. Proton Pass is open source and allows you to generate passwords and even email aliases so your usernames are also secure.
  • Step 2: Use your password manager to generate unique, random passwords for each of your accounts. The default length and character mix are sufficient, but you can make your passwords longer if you wish.
  • Step 3: For your password manager and any passwords you must memorize, we recommend using a passphrase. You can read all about passphrases(new window) in our previous article. Generally, you should use four or five random, uncommon words.

A few final tips

Never reuse a password across multiple accounts. If your password is somehow exposed (perhaps in a phishing attack(new window), social engineering, keylogger, etc.), the attacker could then attempt to enter your credentials to log in to other services. This is one reason it is imperative to use two-factor authentication(new window), especially for your most sensitive accounts, such as banking, social media, and email. 2FA for your email account is especially important because email is used to reset other passwords.

Depending on your threat model(new window), it may or may not be a good idea to write down your passwords. There are smart ways to keep your password diary safe(new window).

A better place to store passwords is in a trusted password manager. Proton Pass lets you generate unlimited strong passwords and stores them with end-to-end encryption, meaning only you can access them. 

You can learn more about our password manager in this video:


What is the strongest password I can use?

The strongest password will be at least 12 characters long, with a random mix of upper-case and lower-case letters, numbers, and special characters. However, these kinds of passwords are difficult to remember, which is why it’s important to use a password manager. We recommend using a passphrase(new window) to secure your password manager.

What are three things that make a strong password?

If you’re using a password, it should be random and long. Proton Pass defaults to 16 characters. If you’re using a passphrase, the important thing is that it contains at least four random words, as illustrated here(new window).

Should I use a password generator?

You should only use a password generator inside your password manager app. This ensures your password is end-to-end encrypted so that only you can see it. To generate passwords in Proton Pass, create a free Proton Account and follow the instructions to use Proton Pass for web(new window).

Protégez votre vie privée avec Proton
Créer un compte gratuit

Articles similaires

Proton Wallet
QUELLE SÉCURITÉ OFFRE PROTON WALLET ? Notre vision à long terme est que Proton Wallet devienne un portefeuille numérique qui vous donne le contrôle total de vos actifs numériques. Bien que le type d’actifs que vous pouvez détenir dans Proton Wallet
  • Guides vie privée
Bitcoin est un réseau de paiement innovant qui utilise les transactions pair-à-pair pour éliminer le besoin d’une banque centrale. Bitcoin a révolutionné les principes fondamentaux de l’échange de valeur en montrant qu’un réseau de nœuds entièrement
Proton Wallet est un portefeuille d’actifs numériques qui prend actuellement en charge l’auto-gardiennage de Bitcoin sur la chaîne. Dans cet article, nous passons en revue les principales fonctionnalités et l’architecture de sécurité qui font de Prot
proton scribe
La plupart d’entre nous envoient des e-mails tous les jours. Trouver les bons mots et le ton adéquat peut cependant prendre beaucoup de temps. Aujourd’hui, nous vous présentons Proton Scribe, un assistant d’écriture intelligent et axé sur la confiden
Les personnes et les entreprises sont généralement soumises aux lois du pays et de la ville où elles se trouvent, et ces lois peuvent changer lorsqu’elles déménagent. Cependant, la situation devient plus compliquée lorsqu’on considère les données, qu
Vos données en ligne ne sont plus seulement utilisées pour des publicités, mais aussi pour entraîner l’IA. Google utilise des informations disponibles publiquement pour entraîner ses modèles d’IA, ce qui suscite des inquiétudes quant à savoir si l’IA