ProtonBlog(new window)

3 safety tips to create a strong password

Share this page

You probably already know some obvious password safety tips, like don’t use “password” as your password. But did you know a password like “Ch@ll3ng3r%$” is not much more secure? 

Sure, it mixes upper- and lower-case letters, numbers and special characters, like you’re often advised to do when creating a password for a new account. And yet a hacker could quickly crack it using a dictionary attack (see below). “Challenger” is a common base word, and the modifications are fairly simplistic.

This article will explain how to create a strong password, along with some additional advice on how to keep your passwords secure. But first it’s helpful to understand a bit about how online services use passwords to manage account access and how hackers can steal your credentials.

Contents:
How hackers steal passwords
3 steps to create strong passwords
Safety tips
FAQ

How passwords are stored – and stolen

You may be thinking that no hacker would bother targeting you personally, and you’re probably right. The danger is not that a hacker will target you, but rather that your password will be part of a larger data breach(new window). If you use a weak password, hackers can extract it from even a cryptographically secured database along with all the other weak passwords.

Therefore, your goal is to create a password that will be difficult for a hacker with a powerful computer to crack, while also being simple enough to memorize.

A password is a way to confirm a user has permission to access an account or device. When you create a new account with an online service, the password you create is passed through a special algorithm (a cryptographic hash function(new window)) and converted into a seemingly random string of letters and numbers, known as a hash. That way, if the user database is ever leaked or breached, plaintext passwords are not exposed. The next time you enter your password to log in to your account, the password is again converted to a hash and compared to the hash in the database. If it matches, you get access to your account.

Data breaches(new window) have become common, and hackers often get their hands on a big database of hashes. To convert the hashes to plaintext passwords, all they have to do is run different passwords through the hash function and see if the hashes match. A powerful computer can test billions of character combinations per second. 

Attack methods

One method, called a brute force attack, tries every possible combination of characters, starting with “0000000”, “0000001”, and so on. This process is slow, but perhaps not as slow as you’d think. The shorter the password, and the fewer types of characters, the less time it takes to brute force.

Another method, called a dictionary attack(new window), saves time by trying common words, character substitutions (e.g., “3” instead of “E”), numbers, and combinations (e.g., a pet name plus a six-digit date). Dictionary attacks can be programmed to anticipate a large number of variations. Thus, even a password like “Pr0tonmai1#%$” is relatively predictable and could conceivably be hacked.

Other common attack methods depend on tricking you into giving away your password or getting you to install keylogging malware on your device. Learn about how to prevent phishing attacks.(new window)

How to create a strong password

You will never create a sufficient variety of passwords for all your accounts that are both memorable for you and strong enough to prevent it from being hacked. 

Therefore, the best solution is to use an encrypted password manager to create unique, randomly generated passwords.

Here’s our recommendation:

  • Step 1: Sign up for and download a reputable, end-to-end encrypted password manager. Proton Pass is open source and allows you to generate passwords and even email aliases so your usernames are also secure.
  • Step 2: Use your password manager to generate unique, random passwords for each of your accounts. The default length and character mix are sufficient, but you can make your passwords longer if you wish.
  • Step 3: For your password manager and any passwords you must memorize, we recommend using a passphrase. You can read all about passphrases(new window) in our previous article. Generally, you should use four or five random, uncommon words.

A few final tips

Never reuse a password across multiple accounts. If your password is somehow exposed (perhaps in a phishing attack(new window), social engineering, keylogger, etc.), the attacker could then attempt to enter your credentials to log in to other services. This is one reason it is imperative to use two-factor authentication(new window), especially for your most sensitive accounts, such as banking, social media, and email. 2FA for your email account is especially important because email is used to reset other passwords.

Depending on your threat model(new window), it may or may not be a good idea to write down your passwords. There are smart ways to keep your password diary safe(new window).

A better place to store passwords is in a trusted password manager. Proton Pass lets you generate unlimited strong passwords and stores them with end-to-end encryption, meaning only you can access them. 

You can learn more about our password manager in this video:

FAQ

What is the strongest password I can use?

The strongest password will be at least 12 characters long, with a random mix of upper-case and lower-case letters, numbers, and special characters. However, these kinds of passwords are difficult to remember, which is why it’s important to use a password manager. We recommend using a passphrase(new window) to secure your password manager.

What are three things that make a strong password?

If you’re using a password, it should be random and long. Proton Pass defaults to 16 characters. If you’re using a passphrase, the important thing is that it contains at least four random words, as illustrated here(new window).

Should I use a password generator?

You should only use a password generator inside your password manager app. This ensures your password is end-to-end encrypted so that only you can see it. To generate passwords in Proton Pass, create a free Proton Account and follow the instructions to use Proton Pass for web(new window).

Protect your privacy with Proton
Create a free account

Share this page

Ben Wolford(new window)

Ben Wolford is a writer and editor whose work has appeared in major newspapers and magazines around the world. Ben joined Proton in 2018 to help to explain technical concepts in privacy and make Proton products easy to use.

Related articles

Can you password-protect a folder in Google Drive?
Protecting a folder with a password is a simple yet effective way of securing files. You may wonder whether you can password-protect a folder in Google Drive. We explain what access controls Google Drive offers and what you can do to improve your sec
Proton Pass now supports passkeys on all devices and plans
We’re excited to announce that Proton Pass supports passkeys for everyone, allowing you to manage and use passkeys across all devices seamlessly. Passkeys are an easy and secure alternative to traditional passwords that can help prevent phishing atta
what is a passkey?
Passkeys are a new way to secure your online accounts using cryptographic keys instead of passwords. They offer a high level of convenience and security, and are a real game-changer in the way we access and secure sites. What is a passkey, though, an
Apple’s marketing team has built a powerful association between the iPhone and privacy. The company’s ad campaigns claim that “what happens on your iPhone, stays on your iPhone.” And, “Privacy. That’s iPhone.” But Apple’s lawyers are telling a diffe
A cyberattack on national public employment service France Travail has exposed the personal data of as many as 43 million people.  The latest breach is the second major cybersecurity attack to happen in France in the past month, raising concerns abo
If I share a folder in Google Drive, can anybody see my other folders
Google Drive makes it easy to share files and folders, but you may have wondered at some point whether the people you’ve shared a folder with can see your other folders. We answer this question below and also share some tips for truly secure link sha
In 2014, Proton Mail was introduced as a web app, revolutionizing how we think about email privacy. Today, we’re excited to broaden the horizons of secure communication by launching the Proton Mail desktop app. Anyone can now use the new Proton Mail