Your password doesn’t just open the door—it is the door

In most apps, your password is basically a permission slip. You type it in. A server checks it against a stored verifier. If it matches, the server lets you in. And if you forget it? The server can usually help you reset your password—because the server is still in the loop.

In Qaxa, your password is the key

In Qaxa, we don’t check your password against a list. We don’t know it. We can’t see it. Instead, your password is used locally on your device to unlock the cryptographic keys that decrypt your data.

Think of it like a vault.

Standard apps — Your safe is in a bank. You show ID (your password). The manager opens it.

Qaxa — Your safe is out in the wilderness. No manager. No back office. No reset desk.

Your password isn’t a request to open the vault. Your password is the key. Which means: if your password is weak, you didn’t just make it easier to guess — you made the vault easier to break.

The brute-force reality

Because Qaxa is zero-knowledge, the biggest threat to your data isn’t “someone inside Qaxa.” We can’t read your content—even though it’s stored on our servers.

The real risk is this:

An attacker obtains the encrypted data stored in Qaxa (for example through a breach of storage, backups, or the systems that hold encrypted blobs). They still won’t see your data and files in plain text.

But with the ciphertext in hand, they can try to unlock it offline by guessing your password using powerful hardware. 

That’s a brute-force attack: relentless guessing at machine speed.

And here’s the key point:

This isn’t a normal “login attack.” When an attacker is working from an encrypted dataset, there’s no server to slow them down. No rate limits. No lockouts. No alerts. Just math. 

So the strength of your password matters. A lot.

The mathematics of “Impossible”

To understand why length is your best defense, you have to look at the numbers.

Every extra character doesn’t just “add” difficulty—it multiplies it. That’s the power of exponents. Brute-force attacks scale fast, but a modern attacker can try massive numbers of guesses per second (especially when they’re working offline).

Here’s what that multiplication looks like in practice. Using Hive Systems’ 2025 estimates (assuming a robust bcrypt hashing setup), the difference between “short” and “long” is the difference between reachable and absurd.

• 8 characters (mixed letters + numbers + symbols) ~164 years — sounds long, but this is still in the realm of “eventually” for well-funded attackers.
   
• 12 characters (mixed letters + numbers + symbols) ~3 billion years — now you’re leaving the practical world behind.
   
• 16 characters (mixed letters + numbers + symbols) ~94 quadrillion years — this is what “not worth trying” looks like.
   
• 18 characters (mixed letters + numbers + symbols) ~463 quintillion years — not just hard—astronomical.

And this is why 20+ characters is the sweet spot: once you’re in that range, you’re stacking multipliers on top of numbers that are already beyond human timescales.

A crucial caveat: These tables assume your password is truly random. Human-made “clever” passwords and common phrases get crushed by dictionary and pattern attacks—often effectively instantly—regardless of length.

Strong password rules that work

1) Length beats complexity

The most reliable way to increase password strength is simple: Make it longer.

A short password with symbols feels “complex,” but it’s still short. Length increases the search space dramatically.

Target:

• Minimum: 16 characters
• Better: 20+
• Best: A long passphrase

2) Use a passphrase, not a password

Humans are bad at remembering this: Xy9#b2!Lq

Humans are good at remembering words. So use 4–6 random, unrelated words. Add separators if you like.

• Not this (predictable): iloveyouforever
• But this (random): solar-pancake-gravity-velvet

This style is easier to type, easier to store safely, and much harder to guess—especially when the words are truly random.

3) If you want maximum strength: Diceware

Humans are predictable. We pick familiar words and patterns. Diceware removes you from the equation.

How it works:

1. Roll a physical die 5 times → you get a 5-digit number (eg: 43152).
2. Look it up in an official Diceware word list → you get one word.
3. Repeat for 5–6 words.

That’s your passphrase. It’s simple, boring, and extremely effective. 

You can use EFF’s official Diceware word lists (including their improved long and short lists) to generate truly random passphrases with dice—start here. 

4) Don’t rely on “cute tricks”

Attackers have seen every version of this:

• a → @
• o → 0
• Password!
• Something123

These patterns are among the first things cracking tools try. If you want strength, choose randomness + length, not cleverness.

5) Store it like it matters—because it does

In Qaxa, we can’t reset your password for you. There’s no master key. No support override. If you lose your password, your data isn’t “locked for a while.” It’s mathematically sealed. So, store it intentionally.

Good options:

• Write it down on paper
• Seal it in an envelope
• Store it in a safe / fireproof box
• Keep a second sealed copy in a separate location

Avoid:

• Email drafts
• Notes apps that sync everywhere
• Cloud documents
• “I’ll remember it” (you won’t, under stress)

The bottom line

In Qaxa, your password isn’t a login step. It’s the cryptographic boundary between “encrypted forever” and “accessible to you.”

You’re not just a user. You’re the custodian of your own vault. Build a key worthy of what you protect.

—

Now that you’ve built a strong password, remember: you’re the only person who knows it. Qaxa is zero-knowledge. If you lose your key, we can’t reset it for you. Read why removing the reset button was the single most important security decision we made: Why we don’t have a “Forgot Password” button.

Keep reading the blog
Follow us on X for updates