30,000 WordPress websites are hacked every day. A large number of these hacks are from admin accounts using weak passwords.  A weak password can be cracked by a hacker in minutes, if not seconds.

This article will explain what makes a strong password, and provide tools to help you manage them.


Anatomy of Strong Passwords

  • In order for a password to be strong, it needs to be:
  • hard to guess (no words found in a dictionary)
  • completely random (no patterns)
  • long (to increase permutations)
  • made up of different types of characters (lowercase, uppercase, punctuation, numbers)
  • unique for each account you have (if you use the same password everywhere, all of your accounts are compromised once that one password is cracked)
  • changed periodically

Passwords that follow these rules are less likely to be guessed as there is no sensible logic to it. They are simply random strings of characters, all placed in a random order, with no rhyme or reason.  The more gobbledygook, the better.

j5^NTkWRu1k6HVI2%7!z276# is an example of a strong password.


Computers vs Humans

Computers have an easy time creating and remembering complicated strings of text. That’s what computers were built for. Y’know… to compute.  But humans are bad at remembering long, random pieces of data like that.  We tend to remember things better when there is an emotional or symbolic relationship to the memory.  Because of this, we often choose simple and easy to guess passwords, like our pets name or the year we were born.  While those are easy to remember, they are highly insecure.


Building A Strong Password

There are several methods to create a strong password.  Here are just a few.


Write Gobbledygook

Just hammer on your keyboard and write out a bunch of gibberish. This should be extremely hard for someone to guess.


Mnemonic Device

Mnemonic devices are techniques a person can use to help them improve their ability to remember something. In other words, it’s a memory technique to help your brain better encode and recall important information.

I recommend using a phrase you can remember.  Make it your favourite movie, your favourite song, or a quote that you like.  Take the first letter of each word to create your password.

For instance, using a quote from ‘A Tale of Two Cities’ (It was the best of times, it was the worst of times), and the street address of the house you grew up in, a great password would be:


Using the first letter of each word, the punctuation, and appending the street address, we created a strong password that we can actually remember.


This password meets all of our criteria.  It is random, long, hard to guess, and uses lowercase, uppercase, numbers and punctuation.



A passphrase in similar to a password, except that it uses a phrase instead of a word.  A passphrase could be something like:

  • ISawHerStandingThere (my favourite Beatles song)
  • TheImitationGame (a really good movie I watched recently – which has to do with cryptography, the very subject of this article)
  • Above&Beyond (my favourite band)

Passphrase’s are not strong because they often contain words found in a dictionary, but they are better than your pets name and year of birth because they are longer and as a side effect, create more permutations.


Password Generators

A password generator is a small program that will create a password for you based on best practices.  There are tons of password generators available.  Just a few are:

  • https://strongpasswordgenerator.com/
  • http://passwordsgenerator.net/
  • http://www.strongpasswordgenerator.org/
  • https://lastpass.com/generatepassword.php
  • https://www.random.org/passwords/


Strong Passwords in WordPress

As of WordPress 4.3, WordPress has a password generator baked right into it’s core.  When creating a new user, or changing a users existing password, WordPress will generate a secure, random, strong password that it recommends you use.  The community that builds and developers WordPress know what they are doing, so I suggest using the password they provide.  However, if you wanted to choose your own, you can simply overwrite their suggestion and enter in your own.



Password Expirations

When dealing with security on a website, it is better to be proactive than reactive.  A good way of doing this is to have passwords expire after a set amount of time.  Why you might ask?  Well, part of a strong password is to have it change periodically.  Because humans are not good at remember data types like this, most of us (myself included) will likely forget to change it 3 months from now.  But have a system in place where the password expires, it forces us to change the password once in a while.  If your password did become compromised and someone gained access to your website, they would likely loose access when the automated reset occurs.


How Do I Remember All These Passwords

To employ best practices in terms of security, passwords should: be long, complicated and random and never be used for more than one login at a time.

That’s great.  But what how the heck do you remember all those?

Enter password managers.  A password manager is a software application that helps you store and organize passwords. Password managers usually store passwords encrypted, requiring you to create a master password; a single, ideally very strong password which grants the user access to their entire password database.  This one password is the last and only password you will need to remember, so make sure it is strong.

I recommend LastPass. It is my favourite and the one that I use for store my 300 entry (and growing) password database.  I recommend LastPass because I have read about how they imply security, and they do everything according to best practices.  If you would like to sign up, please follow the link:



While I recommend LastPass, there are other solutions out there, such as:

  • Dashlane
  • 1Password
  • KeePass



Most people don’t put enough thought into choosing a strong password, yet it is one of the simplest ways to prevent a security breach.  If you are using an insecure password on your website (or any of your online accounts) I urge you to go change them as soon as possible.

Leave a comment

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

I agree to these terms.