Choosing a password for encrypted notes: length vs complexity
For AES-256, the weak point isn’t the algorithm—it’s your password. Here’s how we think about it.
We use PBKDF2 to turn your password into a 256-bit key. An attacker who gets our database would have to guess your password and run the same KDF to check. So password strength is everything. The usual advice applies: longer is better, and randomness beats keyboard walks.
Length usually wins
A 16-character random password is far stronger than an 8-character one with symbols. We show a simple strength indicator when you set a password so you get feedback without us enforcing a specific policy. For a note that holds sensitive stuff, we’d recommend at least 12–16 characters and a password manager.
Avoid reuse
If you use the same password for a note and for your email, a breach of one can compromise the other. For important notes, use a unique password. That’s where a manager really helps: one strong master password, unique per-note passwords generated and stored for you.