3 safety tips to create a strong password

Ben Wolford

Share this page

You probably already know some obvious password safety tips, like don’t use “password” as your password. But did you know that a password like “Ch@ll3ng3r%$” is not much more secure? Sure, it mixes upper- and lower-case letters, numbers and special characters, like you’re often advised to do when creating a password for a new account. And yet a hacker could crack it using a dictionary attack in an hour or two. “Challenger” is a common base word, and the modifications are too simplistic to fool most hackers.

You may be thinking that no hacker would bother attacking you personally, and you’re probably right. The danger is not that a hacker will target you, but rather that your password will be part of a larger data breach(new window). If you use a weak password, hackers can extract it from the database along with all the other weak passwords.

Therefore, your goal is to create a password that will be difficult for a hacker with a powerful computer to crack, while also being simple enough to memorize.
This article will explain exactly how to do that, as well as offer some advice on what to do with your strong password once you’ve thought of it. But first it’s helpful to understand a bit about how online services use passwords to manage account access and how hackers can steal your credentials.

How passwords are stored – and stolen

A password is a way to confirm a user has permission to access an account or device. When you create a new account with an online service, the password you create is passed through a special algorithm (a cryptographic hash function(new window)) and converted into a seemingly random string of letters and numbers, known as a hash. That way, if the user database is ever leaked or breached, plaintext passwords are not exposed. The next time you enter your password to log in to your account, the password is again converted to a hash and compared to the hash in the database. If it matches, you get access to your account.

Data breaches(new window) have become common, and hackers often get their hands on a big database of hashes. To convert the hashes to plaintext passwords, all they have to do is run different passwords through the hash function and see if the hashes match. A powerful computer can test billions of character combinations per second. One method, called a brute force attack, tries every possible combination of characters, starting with “0000000”, “0000001”, and so on. This process is slow, but perhaps not as slow as you’d think. A 12-year-old desktop computer processing brute force combinations can crack a password with five lower-case letters and five numbers in 23 hours(new window).

How to create a strong password

A strong password is one that is easy for you to remember but difficult for a clever hacker with a powerful computer to guess. Short passwords using simple words and combinations are easy to crack. But long passwords using random characters are difficult to remember and may tempt you to reuse the same password across multiple accounts (don’t do that. The best solution for most people is to use an encrypted password manager with a long passphrase as the master password.

Another method, called a dictionary attack(new window), saves time by trying common words, character substitutions (e.g., “3” instead of “E”), numbers, and combinations (e.g., a pet name plus a six-digit date). Dictionary attacks can be programmed to anticipate a large number of variations. Thus, even a password like “Pr0tonmai1#%$” is relatively predictable and could conceivably be hacked.

Here’s our recommendation:

Step 1: Sign up for and download a reputable, end-to-end encrypted password manager. Bitwarden, KeePass, LastPass, and 1Password are all good options.

Step 2: Use your password manager to generate unique, random passwords for each of your accounts. The default length and character mix are perfectly sufficient, but you can make your passwords longer if you wish.

Step 3: For your password manager and any passwords you must memorize, we recommend using a passphrase.

You can read all about passphrases in our previous article. Generally, you should use four or five random, uncommon words.
Computer scientist Mike Pound also suggests(new window) inserting a random special character in the middle of one of the words. So, a password like “colloquyemphy9semaspectermalevolent” could be a strong password.

Of course, the problem with prescribing a strong password recipe is that hackers can now try to add this combination to their dictionary. Creating a good password requires a measure of creativity on your part to come up with a sufficient amount of entropy.

What to do with your strong password

First of all, don’t reuse it across multiple accounts. If your password is somehow exposed (perhaps in a phishing attack(new window), social engineering, keylogger, etc.), the attacker could then attempt to enter your credentials to log in to other services. This is one reason it is imperative to use two-factor authentication.

Depending on your threat model(new window), it may or may not be a good idea to write down your passwords. There are smart ways to keep your password diary safe(new window).

encrypted email illustration

Also, a word on password managers. No system is 100% secure, and there have been identified(new window) security vulnerabilities(new window) in password managers. Depending on your threat model, a password manager may not be appropriate for you. But we believe the benefits of a password manager outweigh the risks for most users. (You can also integrate your password manager(new window) with your Proton Mail account.)

This article is part of a series of how-to articles. You can follow us on social media or subscribe to our Reddit channel to join the conversation and keep up with Proton Mail updates.

Best Regards,
The Proton Mail Team

Sign up and get a free secure email(new window) account from Proton Mail.

We also provide a free VPN service(new window) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to(new window) a (new window)paid plan. Thank you for your support.

Protect your privacy with Proton
Get a free account

Share this page

Ben Wolford

Ben Wolford is a writer at Proton. A journalist for many years, Ben joined Proton to help lead the fight for data privacy.

Related articles

The first month of 2023 has brought brutal layoffs from Big Tech, a potential ban of TikTok in the US, and another Twitter breach. But the biggest development of this new year has to be the ascent of ChatGPT.  The chatbot can produce remarkably huma
Hackers were able to steal account details from over 200 million Twitter users and posted the database on a hacking forum in early January 2023. These details include users’ email addresses and Twitter handles, allowing people to potentially identify
From your online shopping receipts to financial statements, your emails contain a great deal of sensitive information about your life, interests, and daily schedule. If you’re concerned about your online privacy, it’s therefore vital to keep your inb
At Proton, we’re committed to building privacy-focused products that are convenient to use and improve your productivity. Last year, we released the new mobile apps for Proton Calendar and Proton Drive, letting you manage your schedule and upload imp
Most email services aren’t secure and limit attachment file sizes, but there are ways to send large files securely. If you’ve ever tried attaching multiple images or video files to an email, you’ll know that it doesn’t always work. We explain ways t
Email wasn’t initially designed to be secure. From spam and phishing attempts to malware, unethical marketers and cybercriminals try to undermine the security and privacy of your inbox every day. Since your inbox stores plenty of sensitive informatio