Proton

3 safety tips to create a strong password

You probably already know some obvious password safety tips, like don’t use “password” as your password. But did you know a password like “Ch@ll3ng3r%$” is not much more secure? 

Sure, it mixes upper- and lower-case letters, numbers and special characters, like you’re often advised to do when creating a password for a new account. And yet a hacker could quickly crack it using a dictionary attack (see below). “Challenger” is a common base word, and the modifications are fairly simplistic.

This article will explain how to create a strong password, along with some additional advice on how to keep your passwords secure. But first it’s helpful to understand a bit about how online services use passwords to manage account access and how hackers can steal your credentials.

Contents:
How hackers steal passwords
3 steps to create strong passwords
Safety tips
FAQ

How passwords are stored – and stolen

You may be thinking that no hacker would bother targeting you personally, and you’re probably right. The danger is not that a hacker will target you, but rather that your password will be part of a larger data breach(new window). If you use a weak password, hackers can extract it from even a cryptographically secured database along with all the other weak passwords.

Therefore, your goal is to create a password that will be difficult for a hacker with a powerful computer to crack, while also being simple enough to memorize.

A password is a way to confirm a user has permission to access an account or device. When you create a new account with an online service, the password you create is passed through a special algorithm (a cryptographic hash function(new window)) and converted into a seemingly random string of letters and numbers, known as a hash. That way, if the user database is ever leaked or breached, plaintext passwords are not exposed. The next time you enter your password to log in to your account, the password is again converted to a hash and compared to the hash in the database. If it matches, you get access to your account.

Data breaches(new window) have become common, and hackers often get their hands on a big database of hashes. To convert the hashes to plaintext passwords, all they have to do is run different passwords through the hash function and see if the hashes match. A powerful computer can test billions of character combinations per second. 

Attack methods

One method, called a brute force attack, tries every possible combination of characters, starting with “0000000”, “0000001”, and so on. This process is slow, but perhaps not as slow as you’d think. The shorter the password, and the fewer types of characters, the less time it takes to brute force.

Another method, called a dictionary attack(new window), saves time by trying common words, character substitutions (e.g., “3” instead of “E”), numbers, and combinations (e.g., a pet name plus a six-digit date). Dictionary attacks can be programmed to anticipate a large number of variations. Thus, even a password like “Pr0tonmai1#%$” is relatively predictable and could conceivably be hacked.

Other common attack methods depend on tricking you into giving away your password or getting you to install keylogging malware on your device. Learn about how to prevent phishing attacks.(new window)

How to create a strong password

You will never create a sufficient variety of passwords for all your accounts that are both memorable for you and strong enough to prevent it from being hacked. 

Therefore, the best solution is to use an encrypted password manager to create unique, randomly generated passwords.

Here’s our recommendation:

  • Step 1: Sign up for and download a reputable, end-to-end encrypted password manager. Proton Pass is open source and allows you to generate passwords and even email aliases so your usernames are also secure.
  • Step 2: Use your password manager to generate unique, random passwords for each of your accounts. The default length and character mix are sufficient, but you can make your passwords longer if you wish.
  • Step 3: For your password manager and any passwords you must memorize, we recommend using a passphrase. You can read all about passphrases(new window) in our previous article. Generally, you should use four or five random, uncommon words.

A few final tips

Never reuse a password across multiple accounts. If your password is somehow exposed (perhaps in a phishing attack(new window), social engineering, keylogger, etc.), the attacker could then attempt to enter your credentials to log in to other services. This is one reason it is imperative to use two-factor authentication(new window), especially for your most sensitive accounts, such as banking, social media, and email. 2FA for your email account is especially important because email is used to reset other passwords.

Depending on your threat model(new window), it may or may not be a good idea to write down your passwords. There are smart ways to keep your password diary safe(new window).

A better place to store passwords is in a trusted password manager. Proton Pass lets you generate unlimited strong passwords and stores them with end-to-end encryption, meaning only you can access them. 

You can learn more about our password manager in this video:

FAQ

What is the strongest password I can use?

The strongest password will be at least 12 characters long, with a random mix of upper-case and lower-case letters, numbers, and special characters. However, these kinds of passwords are difficult to remember, which is why it’s important to use a password manager. We recommend using a passphrase(new window) to secure your password manager.

What are three things that make a strong password?

If you’re using a password, it should be random and long. Proton Pass defaults to 16 characters. If you’re using a passphrase, the important thing is that it contains at least four random words, as illustrated here(new window).

Should I use a password generator?

You should only use a password generator inside your password manager app. This ensures your password is end-to-end encrypted so that only you can see it. To generate passwords in Proton Pass, create a free Proton Account and follow the instructions to use Proton Pass for web(new window).

Related articles

how to write a professional email
Easy steps and examples for writing a professional email. See how Proton Mail can make your emails stand out.
Email etiquette: What it is and why it matters |
Find out what email etiquette is with key rules and examples, why it is important, and how Proton Mail can help.
A cover image for a blog about how to create an incident response plan that shows a desktop computer and a laptop with warning signs on their screens
Do you have an incident response plan to protect your business from financial and reputational damage? Find out how Proton Pass for Business can help you stay safe.
Shared with me in Proton Drive for desktop user interface
  • For business
  • Product updates
  • Proton Drive
We've improved Proton Drive for Windows to make it easier to securely collaborate with others from your desktop.
Smart glasses that have been modified for facial surveillance and dox you in real time, finding your personal information after seeing your face.
Students modified smart glasses to find someone’s personal data after just looking at them. This is why we must minimize data collection.
The cover image for a blog explaining what password encryption is and how Proton Pass helps users with no tech experience benefit from it
Password encryption sounds complicated, but anyone can benefit from it. We explain what it is and how it’s built into Proton Pass for everyone to use.