WordPress.com

The weakest point in any security for your online accounts is usually your password. At WordPress.com, we go to great lengths to make sure your content is secure, protected, and can’t be accessed by anyone other than you.

But if one person is able to guess or retrieve your password, they bypass every security measure we have because WordPress.com will see them as you. This person could then delete or deface your site, or post whatever they wanted—and your readers would see this content as coming from you.

Think about what you are entering as your password. Does it contain any information people could easily guess? Does it contain a name or number that have strong connections to you? The name of a pet, family member, or favorite sports team? The date of an anniversary or birthday? It’s pretty likely that someone who knows you well enough or can find this information about you—even in your own blog posts—could then guess your password.

This guide will help you create good, strong passwords that are hard to guess or break. Read through the following tips and check your own password. If you feel your password isn’t secure enough, you should change it as soon as you can. (For more help, visit our page on how to change your password.)

What NOT to Do When Selecting a Password

There are some simple rules you should keep in mind when you select a password. Following these rules are the first step in selecting a good password.

• Don’t use single words or numbers. Avoid using anything found in a dictionary or simple numbers like a birthdate or a phone number. Even if the word is in a different language, it can be easy to guess or brute force.
• Don’t use any personal information. Even when combined with letters and numbers, someone who knows you or can research you online can guess a password with this information easily.
• Don’t just substitute look-alike numbers for letters in a word. (Don’t use “leet” speak.) For example, don’t just change “Steve” to “St3v3″.
• Don’t invert words. It’s not hard just to reverse a word and find a password. For instance, don’t change “password” to “drowssap”.
• Don’t write down your password. If it’s written down somewhere and someone can find it, it’s not secure.
• Don’t use the same password for every website you visit. If you use the same password everywhere, a single guess or defeat of the password can expose your information everywhere. By taking the time to separate your passwords, you can limit any damage caused by a break-in.

↑ Table of Contents ↑

Basic Steps to Selecting a Strong Password

If you find selecting a strong password daunting, try using one or two of these tips to start with. Just using some of these guidelines can add a significant amount of strength to your passwords.

• Make the password at least eight characters long. A longer password means it’s harder for someone to guess. 12 or 16 characters is even better.
• Use a mix of upper and lower-case letters. Passwords are case-sensitive, so alternate your caps occasionally throughout the password to increase its strength.
• Throw in some numbers—especially in the middle. Numbers at the beginning or end of a password are easier to guess or crack than those stuck right in the middle.

↑ Table of Contents ↑

Advanced Steps to Selecting a Strong Password

To make your passwords really secure, try some of these advanced tips. They can make your passwords harder to remember, but will greatly increase the security of your accounts.

• Throw in some symbols, punctuation, or spaces. You can use symbols like &, $, and % to greatly increase the strength of your password. Using spaces is also a great way to do this—and it can be easier to remember.
• Use a passphrase. Since you can use spaces in your password, consider making your password a full phrase rather than a word or two. “I have a passphrase” would be a valid password.

↑ Table of Contents ↑

Additional Tips

Beyond your account at WordPress.com, there are other things to remember as you compose passwords that will help you keep your information secure.

• Don’t use the same password twice. If your passwords are different from site to site, guessing one will not provide someone with access to everything you do. At the very least, try not to use the same password everywhere.
• Use a password manager or generator. There are lots of free or low-cost options for password management. Two good examples are the open source application KeePass or a password generator like this one.
• Make your email password the most secure of all. With many online services like WordPress.com, your email address serves as your identification. If a malicious user gains access to your email, it’s not hard to then reset many of your other passwords and gain access to much more.
• Consider changing your passwords regularly. The more often you change it to another strong password, the harder it will be for someone to guess or break it.
• Don’t share your passwords. Even if you share your password with only one person, there is no telling who else might then gain access to it. If you suspect that someone else knows your password, you should change it immediately.
• Don’t send your password to anyone in an email. WordPress.com staff will never ask you for your password.
• Don’t save your passwords or use “Remember Me” options when using a computer that’s not yours. And make sure you log out or close your browser when you are done.