Generate Strong Password: Powering over 60 million websites, WordPress is the world’s most popular website building platform. As a result, WordPress isn’t just drawing the attention of website developers but also that of hackers. Reportedly, over 90000 hack attempts are made on WordPress websites every minute of a day. Many of these hack attempts are made on the WordPress login page which is the gateway to your site. Once inside, hackers can insert backdoors, send spam emails, steals sensitive information, among other things.
A WordPress login page has two fields (as you can see in the image below). There is a field for username and one for a password. In a previous post, we showed you how to create a strong and unique username. In this one, we’ll tell you how to generate strong password for your WordPress site.
Hack attempts like Dictionary and Brute Force Attacks are automated. While in Brute Force attack bots try every different combination of characters to crack a password, bots performing Dictionary attacks enter a set of commonly used passwords to see if there’s a match. Using a weak or easy to guess password (like p@ssw0rd or dummypass123) is as good as giving your password to the hackers. These passwords are easy to remember therefore very popular. When attacking your site hacker bots are designed to try out such popular passwords. This is why it’s important to generate strong password.
One report says that in the past year alone brute force and dictionary attacks on WordPress login pages have gone up by 400 per cent. This means either brute force attacks are easier to carry out (compared to other hack attacks) or hackers are experiencing better results with this type of attacks.
A lot of websites owners are not aware of the threat the hacking community poses to their site. There is a prevalent idea that hackers only target big websites. But hackers these days target many small websites too because small sites are lenient about security and therefore easier to break into. You might think, there is nothing on your website worth going after but hackers these days have found plenty of ways to utilize a website.
Another reason why many WordPress site owners don’t implement strong password is that they are hard to remember. Try remembering a password like ‘pd&&)xG56ZhLNrjl4jjNJ4#h’. This is a password generated by WordPress for a user account we created on one of our test sites.
So the problem that website owners like yourself face is, an easy password is crackable, but a hard one is hard to remember. It’s also worth mentioning here that not all hard-to-remember passwords are hard to crack. In a popular comic strip, ‘xkcd’ shows how some passwords can be hard for humans to remember but easy for bots to crack.
This is exactly the reason why we decided to write a post on how to generate strong password for your site.
How to Generate Strong Password for Your WordPress Site?
Generating a strong password can be a bit tricky. You need to keep a couple of things in mind when creating one.
1. Create Long Passwords
Every character that you add to your password makes it stronger. The general rule of the thumb is to create a password that exceeds 8-10 characters. But with time and advancement in technology, the computational ability of hacker bots have increased. Which is why many security experts today recommend passphrases. A passphrase is longer than a password and contains spaces in between words. Unlike long passwords, passphrases (although long) are easy to remember. Look at the example below:
Long password: pd&&)xG56ZhLNrjl4jjNJ4#h (Hard to remember)
Long passphrase: It’s wolf was white as you know nothing John Snow (Easy to remember)
The advantage of using a passphrase is evident but the problem is, not all login pages allow passwords to be that long or to have spaces between words.
2. Use Uncommon Words
The more common words you use, the easier it is for bots to crack your password. Let’s take a look at common words used in passwords as per a research conducted by SplashData. This will give us an idea of what common words to avoid.
Numbers in order like ‘12345’ or ‘1234567890′. In the report by SplashData, 7 out of the top 15 worst passwords are numbers in order.
Letters in order like ‘abc123’ and even words like ‘qwerty’, ‘princess’ are some of the most commonly used passwords.
Common interest based passwords like ‘football’, ‘baseball’, are increasingly used by websites owners. Even Star Wars-related passwords like ‘solo’, ‘starwars’ are being used.
We talked about passphrase in the earlier point and it’s worth mentioning here that if you are using common words in passphrases, it becomes easy to crack by Dictionary attack bots. Therefore simply avoid common words when you generate strong password.
3. Don’t Use Publicly Known Details
Suppose your name is Ruby and in a blog, you have created an author profile using the same name. This means you will have an author URL with Ruby (look at the picture below). It’s a publicly known detail. It’s wise not to use this name in the login password. Because hackers are known to look up people’s public details on websites to try and guess their credentials.
Publicly known details do not have to be as personal as a name. It could be something you are interested in. Say you run a blog on your favourite alternative band Coldplay. We’d suggest you don’t use the word Coldplay in the password.
4. Use a Combination of Uppercase, Lowercase and Special Characters
Hacker bots are designed to implement formulas to guess the correct password of a site. Here’s one general formula used to crack passwords:
(characters of a certain type in the password) number of characters of that type
(characters of a different type in the password) number of characters of that type
Bots are aware that a certain character belongs to a particular set. They know that ‘a’ is a lowercase character and belongs to a set of 26 lowercase alphabets. They also know that ‘A’ is an uppercase character and belongs to a set of 26 uppercase alphabets.
With a number of such formulas in place, bots are able to try out a few million passwords every second. Therefore if you have a simple password like ‘password123,’ bots are likely to take less than a second to crack your WordPress login credential. To generate a strong password, use a combination of uppercase, lowercase as well as special characters which will confuse the bot because they won’t find a pattern. It’ll move on to the next target and your site will be safe.
Now that we know how to generate strong password, let’s look at how to manage them properly.
How to Manage Strong Passwords?
Earlier we talked about how strong passwords can be difficult to remember, sometimes even impossible to remember. And that is why storing passwords are important. In the following paragraphs, we’ll be looking at the different ways you can store passwords.
1. Write it Down
Write the password down on a piece of paper. That way hackers can’t steal it unless they know your address and break into your house. That said, writing down password comes with its own risks. It can still be stolen, or you can simply lose it. If you misplace the paper, you will lose every single password you had stored in there. Sure you may have a backup sheet, but if the paper falls into wrong hands, it’ll be a disaster. In cases like these, the best way forward is to change all credentials.
2. Store it in a Password Protected File
Another way of storing password is to keep it on a portable storage device like a hard disk drive or USB drive or your personal computer. You can make sure that the folder or the files itself are password protected. Such file is less likely to be lost or read by someone else. But the only catch would be, you can forget the password that is protecting the file. If your device (computer or USB or hard drive) get corrupted, the files where you stored the password may become unreadable or worst it might not be retrieved.
3. Use Password Manager
You can use a software or a program to store all your passwords in a single place using a password manager. It stores the password on a cloud or your local computer in encrypted form. There are three types of password manager. One where the manager is offered as a bonus feature by a security product. Two, a manager that stores your passwords on clouds and offer functionalities like auto-filling up forms. And the third one is a standalone password manager.
While there many advantages to using a password manager, there are a couple of disadvantages too. Hackers can target servers where a password manager stores your password. Case in point, LastPass, a popular password manager was hacked not once but twice back in 2016. Fortunately, the act was pulled off by white hat hackers, and no damage was done. A lot of password managers use a ‘master password’ to give access to files where they store your password. Therefore, if you lose your master password, you lose all your passwords. And there is no ‘forgot my password’ option to recover your master password.
Over to You
A strong password and username is your first line of defense against hackers. But having a number of protective methods in place is a good way to ensure WordPress security. Take a look at our guide on two-factor authentication, HTTP authentication, and moving your site from HTTP to HTTPS.