Policies & Safety

Selecting a Strong Password

The weakest point in any security for your online accounts is usually your password. At WordPress.com, we go to great lengths to make sure your content is secure, protected, and can’t be accessed by anyone other than you.

But if one person is able to guess or retrieve your password, they bypass almost every security measure we have because WordPress.com will see them as you. This person could then delete or deface your site, or post whatever they wanted—and your readers would see this content as coming from you.

This guide will help you create good, strong passwords that are hard to guess or crack. Read through the following tips and check your own password. If you feel your password isn’t secure enough, we strongly recommend that you change it.

Traditional Passwords Are No Longer Safe

Password-cracking techniques have matured quickly and significantly in the past few decades, but the way we create our passwords hasn’t kept pace. As a result, the most common advice you’ll hear about creating a strong password today is very outdated and impractical.

A password created with that advice, like jal43#Koo%a, is very easy for a computer to break and very difficult for a human to remember and type.

The latest and most effective types of password attacks can attempt up to 350 billion guesses per second, and that number will no doubt increase significantly over the next few years.

Creating a strong password today requires modern techniques, and we’ll show you two of them in the next section.

↑ Table of Contents ↑

Choose a Modern Method

There are many different approaches to generating a strong password, but password managers and passphrases are the best. Choose the one that works for you, and then read its corresponding section further along in this article to learn how to get started.

Best: Use a Password Manager – A password manager is a software application on your computer or mobile device that generates very strong passwords and stores them in a secure database. You use a single passphrase to access the database, and then the manager will automatically enter your username and password into a website’s login form for you.

You never have to worry about picking a good password, remembering it, or typing it again. This is the easiest and most secure method available today, and we strongly recommend that you use it.

Good: Create a Passphrase instead of a Password - A passphrase is similar to a password, except that it’s based on a random collection of words, rather than a just one. For example, copy indicate trap bright.

Because the length of a password is one of the primary factors in how strong it is, passphrases are much more secure than traditional passwords. At the same time, they are also much easier to remember and type.

They’re not as strong as the kinds of passwords generated by password managers, but they’re still a good option if you don’t want to use a password manager. They’re also the best way to generate the master password for a password manager or your operating system account, since those can’t be automatically filled in by the password manager.

↑ Table of Contents ↑

How to Use a Password Manager

There are many different manager applications to choose from, so you’ll need to pick which one you’d like to use, and then install it on your computer. These are the general steps, but you may want to check the documentation for your specific application for more details.

  1. Choose a password manager. Some popular ones are:
    • 1Password (closed-source, commercial)
    • LastPass (closed-source, free/commercial)
    • Dashlane (closed-source, free/commercial)
    • KeePass (open source, free)
    • RoboForm (closed-source, commercial).
    • You can find even more choices by using your favorite search engine.
  2. Install it on your computer.
  3. Install any extensions or plugins for the web browser(s) you use.
  4. Create a strong master password to open the password database. See the How to Create a Passphrase section of this document for advice on how to do that.
  5. (optional) Write down the master password, and store it in a secure location, like a safe-deposit box or a locked safe. It’s important to have a backup in case you ever forget the master password.
  6. (optional) Share your password database across multiple devices with the application’s built-in tools or via a service like Dropbox. If you use an external service, make sure you have a strong password for it and enable two-factor authentication on the account (if possible).

Now that you have your password manager setup, you can start to generate strong passwords with it. Find your manager’s built-in password-generation tool, and configure it to create 30-50 random characters, with a mixture of upper- and lower-case letters, numbers, and symbols.

password-generator

You want to end up with something that looks like this: N9}>K!A8$6a23jk%sdf23)4Q[uRa~ds{234]sa+f423@

That may look intimidating, but keep in mind that you’ll never need to remember it or type it in; your password manager will handle that for you automatically.

↑ Table of Contents ↑

How to Create a Passphrase

Creating a passphrase follows similar rules to creating a traditional password, but it doesn’t need to be as complex, because the length of the phrase will provide enough security to outweigh the simplicity.

  1. Choose 4 random words. You can use the Simple Strong Password Generator if you’d like.
  2. Add spaces between the words if you prefer.

At this point, you should have something that looks like: copy indicate trap bright

You can stop there if you’d like, or you can add some extra strength by following these steps:

  1. Make a few of the letters upper-case.
  2. Add in a few number and symbols.

After applying those rules, it will look something like: Copy indicate 48 Trap (#) bright

Things to avoid:

  • Don’t place the words in a predictable pattern or form a proper sentence; that would make it much easier to guess.
  • Don’t use song lyrics, quotes or anything else that’s been published. Attackers have massive databases of published works to build possible passwords from.
  • Don’t use any personal information. Even when combined with letters and numbers, someone who knows you, or can research you online, can easily guess a password with this information. 

↑ Table of Contents ↑

Additional Tips For Both Methods

Beyond your account at WordPress.com, there are other things to remember as you compose passwords that will help you keep your information secure.

  • Don’t use the same password twice. Many popular websites fail to adequately secure your password in their systems, and hackers routinely break into them and access hundreds of millions of accounts. If you reuse passwords from site to site, then someone who hacks into one site will be able to login to your account on other sites. At the very least, make sure that you have unique passwords for all sites that store financial or other sensitive data, or ones that could be used to hurt your reputation.
  • Make sure your email password is also strong. With many online services like WordPress.com, your email address serves as your identification. If a malicious user gains access to your email, they can easily reset your passwords and login to your account.
  • Don’t share your passwords. Even if you trust the person, it’s possible an attacker could intercept or eavesdrop on the transmission, or hack that person’s computer. If you suspect that someone else knows your password, you should change it immediately.
  • Don’t send your password to anyone in an email. E-mails are rarely encrypted, which makes them relatively easy for attackers to read. WordPress.com staff will never ask you for your password. If you must share a password, use a secure method of transmission like pwpush.com, and set the link to expire after the first view.
  • Don’t save your passwords in a web browser. They often fail to store the passwords in a secure manner, so use a password manager instead. See the section on password managers above for more information.
  • Don’t save passwords or use “Remember Me” options on a public computer. If you do, then the next person to use the computer will be able to access your account. Also make sure you log out or close your browser when you are done.
  • Don’t write down your password. If it’s written down somewhere and someone can find it, it’s not secure. Store passwords in a password manager instead, so that they’ll be encrypted. See the section on password managers above for more information. The exception to this rule is storing unrecoverable passwords (like the master password for a password manager, or your operating system account) in a secure manner. One good way to secure them is to keep it in a safe deposit box, or locked in a safe.
  • Don’t change your passwords, unless you suspect they’ve been compromised. As long as you have the type of strong password recommended in this article, changing it frequently will not do anything to minimize the risk of it being compromised. Because changing them can be a burden, it often tempts people to adopt bad practices in order to make the process easier, which increases their vulnerability to attacks. If you suspect someone has gained access to your account, though, then it’s always a good precaution to change your password.

↑ Table of Contents ↑

Two-Factor Authentication

Having a strong password is the single most important thing you can do to protect your account, but if you’d like to go a step further, we offer Two Step Authentication.

If you enable Two Step Authentication on your account, then you will be prompted for a unique six-digit code each time you log in to WordPress.com, in addition to your username and password. You’ll retrieve the code from an app on your smartphone, or via a text-message, and it will expire after 60 seconds.

This means that in order for an attacker to gain access to your account, they would not only have to crack your password, but also steal or hack into your phone, so the likelihood of your account being compromised is dramatically decreased.

Not quite what you're looking for?

Get Help