We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Our password strength checker uses the ‘zxcvbn’ strength estimation method, which analyses entropy, patterns, and common password practices to determine strength more accurately. Other strength checkers simply measure character variety and can wrongly score weak passwords as strong.

This tool does not store any entered passwords. We also don’t share any information with third parties.

Share Password Strength Checker:

How to Create a Strong Password (That Won’t Get Hacked)

Whether you’re banking online or browsing social media, a strong password is essential.
Here are some tips to help you create a password that won't get hacked:

  • Avoid including personal information. This includes your name, birth date, address, phone number, or any other information that could be used to identify you.
  • Consider length. The longer the password, the higher the entropy, meaning it’s much harder to crack. We consider 16 characters or more to be sufficient.
  • Use a variety of characters. Use both upper-case letters and lower-case letters in your password — a mix of both makes it more secure. Also, use numbers and special characters (such as % ^ $ £ @ & * [ ] / !).
  • Include random letters and numbers in place of vowels. For example, if your password is "purpledogwithanorangejacket", replace all instances of the letter "o" and “a” with either a number or a symbol such as "0" or “4” instead so that it reads "purp1ed0gw1than0r4nge3j4ck3t".
  • Don’t use dictionary words. Hackers use “dictionary attacks”, where they try every possible word in a dictionary. If your password can be found in a dictionary it’s very easy for a hacker to crack.
  • Avoid simple phrases. Phrases like “mypassword” or “ilovedogs” are very easy to guess.
  • Don’t use known compromised passwords. Hackers use databases of compromised login credentials when attempting to access accounts. If your password is compromised (find out using our tool) hackers will be able to guess it easily.
  • Use a password generator. A password generator is a tool that will help you easily create strong passwords that are long, complex, and unique.

Once you’ve created strong passwords for all of your accounts, you need to store them safely.

What Are the Best Ways to Keep Your Passwords (& Online Accounts) Safe?

1. Use a password manager

One of the best ways to keep your account login credentials safe is to use a password manager, which is an app that securely stores your account information in an encrypted vault. To access your credentials, you need to enter a master password, which decrypts all stored information.

To increase security, you should set up two-factor authentication. This means that when you access your password vault, you'll need another piece of information before you can log into it, like a one-time code from an authenticator app. This makes it harder for someone else to access your account because they'd need both pieces of information — your password and the one-time code — to get into it.

2. Always use unique passwords

Using unique passwords reduces the risk of hackers gaining access to your other accounts. Using the same credentials for all of your accounts is a major security risk, as once a hacker gains your credentials for one account, they will attempt to access other popular sites using the same credentials.

3. Regularly change passwords

Changing passwords regularly reduces the risk of being hacked. Cybercriminals can steal login credentials and covertly access user accounts for months or years, collecting information about users. If you don’t change your passwords, a hacker could access your account when you least suspect it.

It can be a big task to change passwords for all of your accounts. To make life easier, you can prioritize changing credentials for your most important accounts, such as your work email or online banking service, and update other accounts less frequently. Still, you should try to update all of your passwords at least every 6–12 months.

Note: You should immediately change passwords if they become compromised or if you get account access notifications that you don’t recognize.

4. Avoid sharing passwords unless necessary

You shouldn’t share any login information with anyone else (unless done securely using a password manager). This includes avoiding sharing with family members or friends because there's no guarantee that they won't accidentally share it with others.

If you need to share login details, only share them using a trusted password manager with secure sharing options, which enable you to share credentials without the recipient being able to view, edit, or share them.

5. Set up two-factor authentication for all online accounts.

Two-factor authentication (or 2FA) requires you to provide an extra form of verification in combination with your username and password when accessing your accounts, such as a one-time code generated by an authenticator app (like Google Authenticator).

2FA makes it virtually impossible for hackers to access your accounts, hence why most websites and apps offer users 2FA settings for increased security.

Head to each of your online accounts, navigate to the account settings, and look for two-factor authentication options (preferably choose the authenticator app option as it's easy to set up and one of the most secure forms of 2FA). If available, you should follow the setup instructions and secure your accounts.

Note: Many online accounts offer SMS 2FA, where a one-time code is sent to your phone via text message, but this is one of the least secure forms of 2FA. Hackers can perform a “SIM swap”, which essentially means hackers can hijack your phone number and receive all of your SMS 2FA codes, enabling them to log into your online accounts.

6. Install antivirus software

Antivirus software helps protect your computer from malicious software, including spyware, which is specifically designed to steal your data and transfer it to cybercriminals.

You can use an antivirus to keep your online accounts safe by scanning your device for any kind of malware or suspicious activity that could be linked to a hacker trying to steal your sensitive information.

7. Use web protections

Web protections prevent online scams, including phishing sites that trick users into giving up sensitive information such as login credentials or bank account details.

Most antiviruses come with effective web protections that block access to malicious sites and alert users to suspicious links. Reputable web browsers, like Chrome and Firefox, should also come with built-in web protections, so make sure to check your browser’s settings.

8. Setup dark web monitoring tool

Dark web monitoring tools alert you when they find leaked login credentials or other stolen data, enabling you to take action (such as changing your account login details) before bad actors access your accounts.

Norton (an antivirus) and Dashlane (a password manager) both offer excellent live dark web monitoring tools that scan the dark web in real-time. These tools will alert you as soon as they detect any leaked information. This could include anything from credit card numbers being sold on black market sites or email addresses being posted in an attempt at phishing scams.

What Can Happen If Your Password Is Hacked or Stolen?

Your online accounts could be compromised

If a hacker steals your login information, they can log into any account that uses the same username and password.

For example, if your Netflix account and your social media accounts use the same login details, and hackers gain access to your Netflix credentials, they’ll also be able to access your social media accounts.

This is why it’s important to use unique passwords for every one of your accounts.

Your email account could get hacked

Your contacts might start receiving spam emails from hackers who have hijacked your account.

Hackers may try to deceive your contact list into giving away personal information about you or themselves. They could also convince your contacts to send money, requesting them to make an online payment or bank transfer to an illegitimate account.

Hackers could block you from accessing other accounts

If a hacker acquires your email account login details, they can use them to reset the passwords on other accounts that you have, effectively locking you out of your other accounts.

This is problematic for several reasons, including the fact that hackers could access all the information stored in your accounts, including private messages or sensitive personal information, without you being able to stop them.

Personal information can be leaked or sold on the dark web

Once your personal information ends up on the dark web, it can be copied and shared with anyone (including cybercriminals). Oftentimes, stolen login credentials are sold to hackers so they can easily access compromised accounts, including online banking accounts.

While it’s difficult to stop hackers from selling stolen information on the dark web, you can take action by quickly changing your account login credentials to prevent bad actors from gaining access.

You could become a victim of identity theft

Hackers could perform identity theft by accessing sites that hold sensitive information about you, including passport information, social security numbers, and more, and then using this information to fraudulently take out loans, fleece your bank account, or make credit card purchases in your name.

Frequently Asked Questions

How do I know if my passwords are safe?

Your passwords are safe if they're complex (use a combination of letters, numbers, and special characters), long (at least 16 characters), and stored somewhere safe (like a password manager).

If any of your passwords don't fit the criteria above, they are likely unsafe.

One of the quickest ways to check if your password is safe is by using a strength checker, which assesses the characteristics of your password and notifies you if it's weak or strong.

How long should my passwords be?

We recommend at least 16 characters long.

Why? Because complex 16-character passwords would typically take centuries to crack. In comparison, a simple 8-character password could be cracked in less than 24 hours.

However, it’s still important to check if your passwords are strong enough — even simple 16-character passwords (e.g. "thisismypassword”) are easier to crack than complex alternatives (e.g. "TH15i$mYP4s5W0rD”).

What is the safest password possible?

There is no one password that is considered the safest. However, you can ensure your password is safe by checking its strength and updating it if it’s weak.

Safe passwords usually have a combination of factors that make them hard for hackers to crack:

  • Good length — We recommend at least 16 characters or longer.
  • Random — Passwords with a randomized combination of characters are safer than simple, commonly-used words or phrases.
  • Variety of characters — A combination of uppercase and lowercase letters, numbers, and special characters are harder to crack.

However, password safety also involves a variety of measures, including regularly changing passwords (we recommend you change your most important credentials monthly), regularly checking if your login details have been involved in a data breach, and using two-factor authentication to further protect your accounts.

How do hackers steal passwords?

One of the most common password-stealing techniques is phishing, where hackers set up fake websites and deceive users into entering their login details. For example, hackers could create a fake banking webpage and convince unsuspecting users to enter their private banking details.

Hackers typically send phishing links via email, posing as representatives of legitimate companies. But phishing sites can also be found on social networking sites and even in search engine results.

There are many other ways your password can be stolen, including when company servers are breached or malware (like spyware) covertly monitors your keyboard strokes.

Hackers can also break into accounts using brute-force attack software, which attempts to guess account passwords at a rate of hundreds per second.

What is password entropy?

Password entropy is a form of measurement used to determine how difficult it is for a hacker to crack a password — the higher the entropy score, the harder it is to crack. Password strength checkers use this to help you determine how safe your password is (and if you need to strengthen it).

Entropy is measured in "bits”. It’s calculated by measuring password length and the variety of characters used e.g. uppercase and lowercase letters, digits, and special characters.

A simple phrase like "hello" has a lower entropy as it’s short and doesn’t use a variety of characters. But a complex password like "Gp6-7&#!$f0O^M>14£@-+_%k" has a higher entropy as it’s long and uses a wide variety of characters, which makes it harder to crack.

What are the most commonly used passwords?

According to the UK’s National Cyber Security Centre, the most commonly used passwords are "123456”, "123456789”, "qwerty”, "password”, and "1111111”, all of which are easy to remember, hence why so many people use them.

All of the above are very easy for hackers to guess, so it's always best to use unique, complex passwords, and change them every few months. You can use a strength checker to easily assess whether your passwords are weak or strong.

What is two-factor authentication (2FA) and should I use it?

Two-factor authentication (2FA) is a security method that requires users to provide an extra form of verification along with their username and password when accessing their accounts.

For example, when logging into your Facebook account, you’ll need to enter a one-time code generated by an authenticator app (like Google Authenticator) or sent to you via SMS.

There are many forms of 2FA, including one-time codes, hardware keys, and biometric authentication (fingerprint scanning or facial recognition).

Even if you have 2FA set up on your account, it's still important to make sure that you're using strong passwords and not reusing them across multiple sites or services. You should also keep an eye on any suspicious activity on your accounts—like new accounts being created or sudden changes in spending habits—and report it immediately if something seems off.

Is it worth using a password manager?

In short, yes. Password managers offer many benefits, including:

  • Security. All your details are stored in an encrypted digital vault, so they're safe from hackers.
  • Convenience. With one click, you can automatically fill in your login credentials, so you don’t have to repeatedly type them manually.
  • Password auditing. This feature notifies you if your passwords are weak, old, reused, or compromised, which allows you to update your password quickly.

Browser password managers (like the one built into Google Chrome) are easy-to-use and convenient, but standalone password manager apps tend to offer more features and better security overall.

What is a master password?

A master password is required to unlock your password manager. As password managers use encryption to secure stored data, the master password is linked to your vault’s decryption key, which is needed to access the data stored in your vault.

To keep bad actors from accessing your vault, you should set up a strong master password that is not easy to guess or crack. You should also change it periodically (such as once per quarter) to avoid being hacked.

Pro tip: Set up two-factor authentication (2FA) to further protect your vault. This is an extra verification step that protects your data even if hackers managed to crack your password.

We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.