Choosing a password for encrypted notes: length vs complexity
For AES-256, the weak point isn’t the algorithm—it’s your password. Here’s how we think about it.
We use PBKDF2 to turn your password into a 256-bit key. An attacker who gets our database would have to guess your password and run the same KDF to check. So password strength is everything. The usual advice applies: longer is better, and randomness beats keyboard walks.
Length usually wins
A 16-character random password is far stronger than an 8-character one with symbols. We show a simple strength indicator when you set a password so you get feedback without us enforcing a specific policy. For a note that holds sensitive stuff, we’d recommend at least 12–16 characters and a password manager.
Avoid reuse
If you use the same password for a note and for your email, a breach of one can compromise the other. For important notes, use a unique password. That’s where a manager really helps: one strong master password, unique per-note passwords generated and stored for you.
FAQ: Password length vs complexity
Q1. Is a long simple password better than a short complex one?
Usually yes. A 16-character random password is far stronger than an 8-character one with symbols. Length grows the search space faster than adding a few extra character types.
Q2. How does PBKDF2 affect password strength for my notes?
PBKDF2 runs your password through many iterations (310k in our case) to slow down each guess. That doesn’t fix a weak password, but it makes brute-force and large-scale guessing much harder for an attacker with a leaked database.
Q3. Can I reuse the same strong password for multiple encrypted notes?
You can, but you shouldn’t. Reuse means one compromise exposes multiple notes. Using a password manager to generate unique, long passwords per note is safer.
Q4. Do I really need special characters in my note password?
Not strictly. A long, random password made from letters and numbers can be very strong. Complexity helps, but length and randomness matter more.
Q5. What’s a practical minimum for important notes?
For sensitive content, we recommend at least 12–16 random characters stored in a password manager. That balances usability with a very large search space for attackers.
Where to go next
If you want to see how password strength and key derivation show up in the product:
- Read “PBKDF2 and why we use 310,000 iterations”.
- Read “Why we encrypt in the browser (and what happens to your password)”.
- Create an encrypted note in Inkrypt at https://www.inkrypt.online and experiment with different password strengths.