You probably already know some obvious password safety tips, like don’t use “password” as your password. But did you know a password like “Ch@ll3ng3r%$” is not much more secure? 

Sure, it mixes upper- and lower-case letters, numbers and special characters, like you’re often advised to do when creating a password for a new account. And yet a hacker could quickly crack it using a dictionary attack (see below). “Challenger” is a common base word, and the modifications are fairly simplistic.

This article will explain how to create a strong password, along with some additional advice on how to keep your passwords secure. But first it’s helpful to understand a bit about how online services use passwords to manage account access and how hackers can steal your credentials.

How hackers steal passwords
3 steps to create strong passwords
Safety tips

How passwords are stored – and stolen

You may be thinking that no hacker would bother targeting you personally, and you’re probably right. The danger is not that a hacker will target you, but rather that your password will be part of a larger data breach(new window). If you use a weak password, hackers can extract it from even a cryptographically secured database along with all the other weak passwords.

Therefore, your goal is to create a password that will be difficult for a hacker with a powerful computer to crack, while also being simple enough to memorize.

A password is a way to confirm a user has permission to access an account or device. When you create a new account with an online service, the password you create is passed through a special algorithm (a cryptographic hash function(new window)) and converted into a seemingly random string of letters and numbers, known as a hash. That way, if the user database is ever leaked or breached, plaintext passwords are not exposed. The next time you enter your password to log in to your account, the password is again converted to a hash and compared to the hash in the database. If it matches, you get access to your account.

Data breaches(new window) have become common, and hackers often get their hands on a big database of hashes. To convert the hashes to plaintext passwords, all they have to do is run different passwords through the hash function and see if the hashes match. A powerful computer can test billions of character combinations per second. 

Attack methods

One method, called a brute force attack, tries every possible combination of characters, starting with “0000000”, “0000001”, and so on. This process is slow, but perhaps not as slow as you’d think. The shorter the password, and the fewer types of characters, the less time it takes to brute force.

Another method, called a dictionary attack(new window), saves time by trying common words, character substitutions (e.g., “3” instead of “E”), numbers, and combinations (e.g., a pet name plus a six-digit date). Dictionary attacks can be programmed to anticipate a large number of variations. Thus, even a password like “Pr0tonmai1#%$” is relatively predictable and could conceivably be hacked.

Other common attack methods depend on tricking you into giving away your password or getting you to install keylogging malware on your device. Learn about how to prevent phishing attacks.(new window)

How to create a strong password

You will never create a sufficient variety of passwords for all your accounts that are both memorable for you and strong enough to prevent it from being hacked. 

Therefore, the best solution is to use an encrypted password manager to create unique, randomly generated passwords.

Here’s our recommendation:

  • Step 1: Sign up for and download a reputable, end-to-end encrypted password manager. Proton Pass is open source and allows you to generate passwords and even email aliases so your usernames are also secure.
  • Step 2: Use your password manager to generate unique, random passwords for each of your accounts. The default length and character mix are sufficient, but you can make your passwords longer if you wish.
  • Step 3: For your password manager and any passwords you must memorize, we recommend using a passphrase. You can read all about passphrases(new window) in our previous article. Generally, you should use four or five random, uncommon words.

A few final tips

Never reuse a password across multiple accounts. If your password is somehow exposed (perhaps in a phishing attack(new window), social engineering, keylogger, etc.), the attacker could then attempt to enter your credentials to log in to other services. This is one reason it is imperative to use two-factor authentication(new window), especially for your most sensitive accounts, such as banking, social media, and email. 2FA for your email account is especially important because email is used to reset other passwords.

Depending on your threat model(new window), it may or may not be a good idea to write down your passwords. There are smart ways to keep your password diary safe(new window).

A better place to store passwords is in a trusted password manager. Proton Pass lets you generate unlimited strong passwords and stores them with end-to-end encryption, meaning only you can access them. 

You can learn more about our password manager in this video:


What is the strongest password I can use?

The strongest password will be at least 12 characters long, with a random mix of upper-case and lower-case letters, numbers, and special characters. However, these kinds of passwords are difficult to remember, which is why it’s important to use a password manager. We recommend using a passphrase(new window) to secure your password manager.

What are three things that make a strong password?

If you’re using a password, it should be random and long. Proton Pass defaults to 16 characters. If you’re using a passphrase, the important thing is that it contains at least four random words, as illustrated here(new window).

Should I use a password generator?

You should only use a password generator inside your password manager app. This ensures your password is end-to-end encrypted so that only you can see it. To generate passwords in Proton Pass, create a free Proton Account and follow the instructions to use Proton Pass for web(new window).

Bescherm uw privéleven met Proton
Maak een gratis account

Gerelateerde artikelen

Google is one of the biggest obstacles to privacy. The Big Tech giant may offer quick access to information online, but it also controls vast amounts of your personal or business data. Recently, more people are becoming aware of the actual price you
What to do if someone steals your Social Security number
If you’re a United States citizen or permanent resident, you have a Social Security number (SSN). This number is the linchpin of much of your existence, linked to everything from your tax records to your credit cards. Theft is a massive problem, whic
compromised passwords
  • De basisbeginselen van privacy
Compromised passwords are a common issue and probably one of the biggest cybersecurity threats for regular people. How do passwords get compromised, and is there anything you can do to prevent it? * What does compromised password mean? * How do pa
Is WeTransfer safe?
  • De basisbeginselen van privacy
WeTransfer is a popular service used by millions worldwide to send large files. You may have wondered if it’s safe or whether you should use it to share sensitive files. We answer these questions below and present a WeTransfer alternative that may su
what is a dictionary attack
  • De basisbeginselen van privacy
Dictionary attacks are a common method hackers use to try to crack passwords and break into online accounts.  While these attacks may be effective against people with poor account security, it’s extremely easy to protect yourself against them by usi
Data breaches are increasingly common. Whenever you sign up for an online service, you provide it with personal information that’s valuable to hackers, such as email addresses, passwords, phone numbers, and more. Unfortunately, many online services f