ProtonBlog(new window)

How to store and manage your passwords safely

Share this page

Your passwords (or more accurately, your usernames and passwords) are the keys to your digital life. They are the first (and often only) line of defense, preventing hackers and other bad actors from ransacking your bank accounts and pillaging your personal details to steal your identity. It’s therefore vital to create strong and unique passwords for every service you use.

Learn more about how to create strong passwords you’ll actually remember(new window)

Creating strong passwords is a good start, but you’ll also need to store them safely in a way that you can access when you actually need them, plus edit them and add new passwords when you sign up for new services. 

In this article, we look at how to store and manage your passwords safely.

1. Use a good password manager

The single most important thing you can do to keep your passwords safe and accessible is to use a good password manager. These can generate, store, and autofill strong, unique passwords for each of your accounts, and can sync your passwords across all your devices. 

Password managers encrypt your passwords, notes, bank card details, and other sensitive information so that no one but you can access them. Some password managers, however, are more secure than others.

For example, LastPass suffered a catastrophic data breach(new window) that would have been less serious if it encrypted all of its customers’ data (metadata such as URLs, file paths to installed LastPass Windows or macOS software, and certain user email addresses were unencrypted).

Proton Pass is a password and identity manager that securely stores passwords, credit cards, and other data (including all metadata) using end-to-en encryption. It also suggests email aliases when creating accounts so you don’t have to share your real email address.

Proton Pass

Learn more about the Proton Pass security model(new window)

2. Secure your password manager with a strong master password

A good password manager will keep your passwords safe — but it also needs to be secured itself using a strong master password. This is a single password (or better yet, passphrase(new window)) that you use to access your other passwords (and related data).  

This is great, because you need only remember one password. However, it’s also a potential point of failure because if someone guesses your master password, they can access all your passwords (and other sensitive information). 

It’s therefore vital to create a master password that is strong, but that also you’ll remember. One easy way to do this is with our online password generator. If using this, we suggest generating a Memorable password.

Proton online password generator

3. Secure your password manager using 2FA

One-factor authentication requires something you know (your login details). Two-factor authentication (2FA) requires an additional piece of information that proves your identity. This is usually a physical device, such as your phone or a 2FA security key(new window).

Unless an adversary has physical access to this device, they can’t access your accounts. Two-factor authentication therefore provides a valuable additional layer of security for your account, and this is never more important than when securing your password manager. 

Learn more about two-factor authentication(new window)

You can secure your Proton Account (including your access to Pass) with 2FA using a third-party TOTP authenticator app or a U2F or FIDO2 security key

It’s worth noting that Proton Pass features an integrated 2FA authenticator. For security reasons, you shouldn’t use this to secure your Pass master password, but it does provide a convenient way to protect your other accounts with 2FA. 

4. Share your passwords securely

Sometimes you need to share passwords with friends, family, and colleagues. If you can’t do this in person, then be careful to use a secure end-to-end encrypted communications channel. 

Learn  more about end-to-end encryption(new window)

Many popular channels, including most email services (such as Gmail, Outlook.com, and iCloud Mail) do not use end-to-end encryption. This means the service provider can see the contents of all your messages. Please also be aware that on Telegram, only Secret chats(new window) are end-to-end encrypted.

Learn which messenger apps are good for privacy(new window)

Arguably the worst communications channel to share passwords on is SMS. SMS texts are not encrypted in any way, and the technology that underpins the SMS network is heavily compromised by hackers (both criminal and state-sponsored). 

Learn why you should stop using SMS(new window)

Safe ways to remotely share your passwords must use end-to-end encryption. This includes secure messaging apps such as Signal, email services such as Proton Mail, and via files stored on secure cloud storage platforms such as Proton Drive using password-protected links(new window).

Alternatively, the Proton Pass app offers a secure Password Sharing feature that allows you to easily share your passwords, usernames, credit cards, and other data stored in Proton Pass with anyone. Your data stays end-to-end encrypted, and you can revoke access anytime.

Securely share a Proton Pass vault

Learn more about Password Sharing in Proton Pass(new window)

5. Be wary of phishing

Phishing scams try to trick you into downloading malware or revealing sensitive data (such as your bank password and username). Phishing attacks come in many forms, but the one people are probably most familiar with is the scam email that purports to be sent from a legitimate company and contains links encouraging you to sign in to a fake copycat website.

Learn more about phishing(new window)

To keep your passwords secure, be cautious about where you enter them and always verify the authenticity of the website or service before inputting your credentials.

With Proton Pass’s Hide my email feature, you can create unique email aliases for each service you sign up for, which are then instantly forwarded to your inbox. You can disable or delete these aliases as needed. As less websites have access to your real emsil address, Hide my email helps to protect you against phishing (and also spam).

Final thoughts

Managing your digital security through strong and unique passwords is not just a good practice, it’s necessary if you want to prevent your accounts being hacked. By utilizing a reliable password manager like Proton Pass, strengthening it with a robust master password, and reinforcing it with two-factor authentication, you place a formidable barrier between your personal information and potential intruders.

Additionally, understanding the importance of secure password sharing and remaining vigilant against phishing attempts are crucial steps in safeguarding your online presence. Remember, each step you take towards securing your passwords is a stride towards protecting your digital identity. 

Protect your privacy with Proton
Create a free account

Share this page

Douglas Crawford(new window)

Starting with ProPrivacy and now Proton, Douglas has worked for many years as a technology writer. During this time, he has established himself as a thought leader specializing in online privacy. He has been quoted by the BBC News, national newspapers such as The Independent, The Telegraph, and The Daily Mail, and by international technology publications such as Ars Technica, CNET, and LinuxInsider. Douglas was invited by the EFF to help host a livestream session in support of net neutrality. At Proton, Douglas continues to explore his passion for privacy and all things VPN.

Related articles

What is 3-2-1 backup
Data backup is vital for businesses and individuals alike: In case something happens to your primary computer, you always have a copy of your data to fall back on.  How should you approach backup, though? The 3-2-1 rule can act as a guide when decid
What was your first pet’s name? In what city were you born?  We’ve all had to answer these questions to reset a long-forgotten password, but consider how that works. Much of this information is easy to find for others (or easily forgotten by you), m
In the early days when Proton started, we often received a question along the lines of “I love the product and what Proton stands for, but how do I know you will still be around to protect my data 10 years from now?”  Ten years and 100 million accou
Credential stuffing is a popular type of cyberattack where attackers take login credentials and use them on thousands of websites, hoping to fraudulently gain access to people’s accounts. It’s an effective attack, but fortunately, one that’s easy to
With Skiff abruptly shutting down operations, many people are on the lookout for alternatives that don’t compromise on privacy — and won’t suddenly disappear. People were attracted to Skiff because it promised privacy, no ads, end-to-end encryption,
Skiff is dead. On Feb. 9, the email company Skiff announced it was being bought by Notion. Many Skiff customers have been shocked by this news, as their inboxes have been sold out from under them. Skiff gave people six months to export their data be