3 safety tips to create a strong password

Share this page

You probably already know some obvious password safety tips, like don’t use “password” as your password. But did you know that a password like “Ch@ll3ng3r%$” is not much more secure? Sure, it mixes upper- and lower-case letters, numbers and special characters, like you’re often advised to do when creating a password for a new account. And yet a hacker could crack it using a dictionary attack in an hour or two. “Challenger” is a common base word, and the modifications are too simplistic to fool most hackers.

You may be thinking that no hacker would bother attacking you personally, and you’re probably right. The danger is not that a hacker will target you, but rather that your password will be part of a larger data breach(new window). If you use a weak password, hackers can extract it from the database along with all the other weak passwords.

Therefore, your goal is to create a password that will be difficult for a hacker with a powerful computer to crack, while also being simple enough to memorize.
This article will explain exactly how to do that, as well as offer some advice on what to do with your strong password once you’ve thought of it. But first it’s helpful to understand a bit about how online services use passwords to manage account access and how hackers can steal your credentials.

How passwords are stored – and stolen

A password is a way to confirm a user has permission to access an account or device. When you create a new account with an online service, the password you create is passed through a special algorithm (a cryptographic hash function(new window)) and converted into a seemingly random string of letters and numbers, known as a hash. That way, if the user database is ever leaked or breached, plaintext passwords are not exposed. The next time you enter your password to log in to your account, the password is again converted to a hash and compared to the hash in the database. If it matches, you get access to your account.

Data breaches(new window) have become common, and hackers often get their hands on a big database of hashes. To convert the hashes to plaintext passwords, all they have to do is run different passwords through the hash function and see if the hashes match. A powerful computer can test billions of character combinations per second. One method, called a brute force attack, tries every possible combination of characters, starting with “0000000”, “0000001”, and so on. This process is slow, but perhaps not as slow as you’d think. A 12-year-old desktop computer processing brute force combinations can crack a password with five lower-case letters and five numbers in 23 hours(new window).

How to create a strong password

A strong password is one that is easy for you to remember but difficult for a clever hacker with a powerful computer to guess. Short passwords using simple words and combinations are easy to crack. But long passwords using random characters are difficult to remember and may tempt you to reuse the same password across multiple accounts (don’t do that. The best solution for most people is to use an encrypted password manager with a long passphrase as the master password.

Another method, called a dictionary attack(new window), saves time by trying common words, character substitutions (e.g., “3” instead of “E”), numbers, and combinations (e.g., a pet name plus a six-digit date). Dictionary attacks can be programmed to anticipate a large number of variations. Thus, even a password like “Pr0tonmai1#%$” is relatively predictable and could conceivably be hacked.

Here’s our recommendation:

Step 1: Sign up for and download a reputable, end-to-end encrypted password manager. Bitwarden, KeePass, LastPass, and 1Password are all good options.

Step 2: Use your password manager to generate unique, random passwords for each of your accounts. The default length and character mix are perfectly sufficient, but you can make your passwords longer if you wish.

Step 3: For your password manager and any passwords you must memorize, we recommend using a passphrase.

You can read all about passphrases in our previous article. Generally, you should use four or five random, uncommon words.
Computer scientist Mike Pound also suggests(new window) inserting a random special character in the middle of one of the words. So, a password like “colloquyemphy9semaspectermalevolent” could be a strong password.

Of course, the problem with prescribing a strong password recipe is that hackers can now try to add this combination to their dictionary. Creating a good password requires a measure of creativity on your part to come up with a sufficient amount of entropy.

What to do with your strong password

First of all, don’t reuse it across multiple accounts. If your password is somehow exposed (perhaps in a phishing attack(new window), social engineering, keylogger, etc.), the attacker could then attempt to enter your credentials to log in to other services. This is one reason it is imperative to use two-factor authentication.

Depending on your threat model(new window), it may or may not be a good idea to write down your passwords. There are smart ways to keep your password diary safe(new window).

encrypted email illustration

Also, a word on password managers. No system is 100% secure, and there have been identified(new window) security vulnerabilities(new window) in password managers. Depending on your threat model, a password manager may not be appropriate for you. But we believe the benefits of a password manager outweigh the risks for most users. (You can also integrate your password manager(new window) with your Proton Mail account.)

This article is part of a series of how-to articles. You can follow us on social media or subscribe to our Reddit channel to join the conversation and keep up with Proton Mail updates.

Best Regards,
The Proton Mail Team

Sign up and get a free secure email(new window) account from Proton Mail.

We also provide a free VPN service(new window) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to(new window) a (new window)paid plan. Thank you for your support.

Protect your privacy with Proton
Create a free account

Share this page

Ben Wolford

Ben Wolford is a writer and editor whose work has appeared in major newspapers and magazines around the world. Ben joined Proton in 2018 to help to explain technical concepts in privacy and make Proton products easy to use.

Related articles

A digital signature on a document is like a virtual fingerprint that verifies the identity of the person or entity that signed it. Unlike handwritten signatures, which you can easily forge, digital signatures are highly secure because they’re protec
Many people who use Apple products assume their data is private because of the company’s aggressive marketing on the topic. “Some things shouldn’t be shared. iPhone helps keep it that way,” goes one famous ad. “Privacy. That’s iPhone.” But if you u
Whether it’s personal documents such as your birth certificate or confidential business files like work contracts, we all have sensitive documents we need to store securely. With so many storage options available, it’s important to understand the dif
At Proton Mail, your security is our number one priority. Normally, this means protecting your inbox from unauthorized outside access. However, rather than trying to hack your software, phishing emails try to hack you. By spoofing emails from trusted
Learn all about email clients and why you might use one instead of webmail. If you’ve used an app like Gmail on your mobile phone or Outlook on your computer, you’ve used an email client. We explain how an email client works and the pros and cons of
No email service is completely anonymous. Learn how to send an email as anonymously as possible using private email, aliases, and a VPN or Tor. Do you need to send an email without revealing who you are? Unfortunately, you can’t just sign up for a f