The purpose of a password is to prevent unauthorised access to an account. Therefore, logically, it should be hard to guess. This however means two things:
- Firstly, it should be hard to guess by humans.
- Secondly, it should be hard to guess by computers.
The most common mistake non-technical people make is to focus on the first one thinking that the second one will be taken care of as well. This is, to put it bluntly, very bad practice because the way computers (ie hackers) “guess” passwords is completely different to how humans guess passwords.
A human will attempt to guess your password based on information they might know about you, such as your name and surname, date of birth, other family members’ names, places you live, etc.
A computer on the other hand takes a different approach. Because of the sheer speed at which a computer can try different combinations of letters and numbers, what makes it difficult for a computer is not how “unexpected” a password is but how long it is.
So here are the rules to follow to have strong passwords for your WordPress accounts (or indeed an account):
Rule #1: Avoid common words
Just don’t use words, combinations, and phrases which are easily guessable. Some of the most common passwords people use — which you should avoid — include:
Rule #2: Use a passphrase
It’s a small but important distinction to think of your password not as a “word” but as a “phrase”. A phrase is longer than just one word and passphrase length is the most important thing you can use to make it hard for a hacker to crack. This is because for each additional character you add to your passphrase, the possible combinations of letters and numbers a computer would need to test increases exponentially.
For example, let’s say you’re tempted to use the word “paris” as your password because you just had a great holiday there. A brute force attack script will guess this password in 0.20 milliseconds. Way less than it takes you to type it.
Try instead using a passphrase like “wehadsomuchfuninparis” and you’ll find its unguessable by a computer because it would take an infinite amount of time for a computer to guess all possible 20 character combinations.
Rule #3: Add numbers or special characters
A lot of sites recommend this. While length makes the biggest difference, adding more than just alphabet letters to your passphrase — eg wehadsomuchfuninparisin2019 — makes it even harder for a computer to guess because now, the total number of characters it needs to try out has grown from 26 (the alphabet) to 36 (alphabet plus numbers).
Rule #4: Use different passphrases
However cool and long your passphrase is don’t repeat it. There’s always a risk it will somehow be compromised and if you make a habit of using the same password for different services the attacker will suddenly have access to several of your accounts.
Rule #5: Use a password manager
However much you’re on board with security and strong passwords, it doesn’t change the fact that its hard to remember them — especially if they’re lengthy and complex as they should be.
A good way around this is to use a password manager like Google Smart Lock, 1Password, or LastPass.