WordPress Security

How Secure is My Password? Six Ways to Strengthen Your Password Security

How strong is your password? What is a strong password?

Dan Knauss

How often have you logged into your online banking, social media accounts, or WordPress dashboard and wondered, “How secure is my password?” You’re on a public network. Anyone might see or intercept what you’re doing online. Is the password you’re using keeping you secure?

How strong is your password? What is a “strong” password anyway?

In this guide, we’ll explain the concept of password strength. It will be clear why strong password credentials are important for administrators and other privileged users. Then, we’ll give you some tangible ways to check your password security.

A guy walks into a bar and asks, “What’s the Wi-Fi password?”

Bartender: You need to buy a drink first.

Guy: Okay, I’ll have a coke.

Bartender: Is Pepsi okay?

Guy: Sure. How much is that?

Bartender: $3

Guy: There you go. So what’s the Wi-Fi password?

Bartender: “youneedtobuyadrinkfirst” — No spaces, all lowercase.

Is this a strong password? It sure seems effective — and profitable — until everyone knows the joke. 🙂

What is a Strong Password?

A strong password is one that would take an impossibly long time to crack with the strongest password-guessing programs available. A password that is too hard to crack is both long and complex, with many possible combinations.

Even if you’re using a crazy-strong password, if another user on your website has a weak password your whole website is vulnerable.

If the number of possible characters in the password is ‘P’ and the length of the password is ‘L’, then its strength is calculated as PL.

Following this formula, an 8-character password limited to 52 (26 x 2) upper and lower-case letters and 10 numerals has a strength of 628. That’s 2.1834011e+14 or 2.1834011 x 1014 or 218,340,110,000,000.

218 Trillion, 340 Billion, and 110 Million possible combinations of the characters your password may use!

However, after making only half the total guesses necessary to crack the password (109 Trillion), brute force guessing will have a 50% chance of success by that point. As the number of failed guesses increases, the probability of the correct guess increases.

Password Recovery Times
Terahash’s estimated time to crack an 8-character, MD5 encrypted password (like any user account password stored in a WordPress database) is less than 8 hours.

So how quickly could 109 Trillion guesses be made?

With a powerful computer working on cracking an encrypted local file, up to 1 Billion guesses per second are possible, so it might take around 109,000 seconds — just over 30 hours — to crack our sample password. 10,000 guesses per minute is a more realistic rate for brute-force password stuffing over the web. At that rate, it would take 645+ years to find the right password.

But what if your password and username are part of a data breach? Suppose hackers steal a database that includes your account. They could run sophisticated password-cracking software on powerful hardware to break the MD5 encryption that WordPress and other web applications commonly use to protect passwords and other sensitive data. An 8-character long MD5 encrypted password would only take 8 hours to crack this way, according to Terahash, a company specializing in massively distributed password cracking.

Enjoying the password mathematics? A more sophisticated way to calculate password strength is to calculate password entropy. Password entropy is what determines password “strength.” Here’s a great article on password entropy calculations by Dr. Anna Szczepanek.

A Reused Password is Always Weak

There are two lessons to learn from our password-guessing calculations.

First, an 8-digit password of moderate complexity is unlikely to be guessed — unless you reuse it on multiple sites. Massive data breaches (databases with millions of user accounts) are high-value targets. Eventually, they will be cracked by criminals with powerful computing resources, as we’ve seen in the wake of the LastPass breach.

Second, your online accounts can’t be brute forced for hundreds of years, but if you’ve reused your passwords or had one appear in a data breach, you have made yourself a much, much easier target.

Hackers will test all the real login credentials they’ve stolen on sites where the same credentials might have been reused by their owner. That’s why Solid Security Pro lets you require strong passwords but reject them if they surface in a known data breach.

How Secure is My Password?

How secure are the passwords that you use to access your online accounts? And even more importantly, how secure is the password you use to log into your WordPress website?

Throughout the years you’ve been using the Internet, you’ve no doubt chosen dozens (if not hundreds and thousands) of different passwords and usernames. And if you’re like many Internet users, you don’t put much thought into the passwords you choose.

A 2019 Google study, in conjunction with The Harris Poll, found that nearly 66% of people use identical passwords across multiple online accounts. In addition, the study found that 13% of Internet users reuse the same password in all their online accounts. And more than half — 52% — use the same password for several (but not all) online accounts. 

As recently as 2017, the most common password was “123456.”

And the second most common?

“Password.” 

Yes, the word “password” was the second most commonly used password only a few years ago.

It’s important to understand that a strong password will help keep malicious hackers out of your website’s admin area. This protects your sensitive information and the personal data of your site users.

It also helps protect your site content and keeps it from falling prey to a cyberattack.

Tips for Choosing a Secure Password

Using secure passwords has become more important over time because cyberattacks are increasing in volume and sophistication. They’re targeting small to mid-sized businesses and specific individuals within them. So let’s look at some ways to create truly strong passwords.

Use Random Characters

This is a password-generating method that you’re probably already familiar with. The method involves building passwords by stringing random letters, numbers, and special characters together.

Passwords like this are very secure and even more so if you follow some simple guidelines:

  • Use at least one letter, number, and typographic character such as ‘@’ or ‘*’.
  • Use at least one lowercase and one uppercase letter
  • Make your password as long as you can. Every character you use in a password adds thousands (or millions) of different possibilities

Remember, a password of 12 characters will take 62 trillion times longer for a hacker to figure out than a password of only six characters.

WordPress lets you generate strong, random passwords in the user account settings, or you can use an external password generator.

TIP: Consider using an opening line or phrase from your favorite book. Add in characters or numbers for some of the letters and you have a long password that you can easily remember. Be sure to avoid common phrases.

Use Random Words

One password-creation option that has become increasingly useful in recent years is the multi-word password approach. This strategy involves stringing seemingly random words together to create passwords that bots cannot guess. You may find them memorable, however.

For example, “Deercloudgranitecheese” is a relatively strong password.

It’s easier to remember than a randomly generated password, too.

With strings of words and phrases, you can form word associations that only make sense to you to help you remember the password.

This approach is unlikely to be more secure than choosing completely random characters, but if you use nonsense words, unusual spellings, and apply multiple languages, your password will thwart dictionary-based attacks.

If you’ve decided to use a multi-word password to secure your WordPress admin account, there are a few guidelines that you should keep in mind:

  • Choose words that are truly random and not typically associated with each other. If you run out of imagination, you can use a random word generator.
  • Using more words makes your passphrase more secure. It’s a good idea to use a minimum of four words in your passphrase.
  • Always use different passwords for every account you access, including your WordPress admin accounts.

Remember, no matter the style of password that you choose to use, you always need to use a different one for every account you access. Ensure that the password you’re using for your WordPress admin dashboard isn’t used anywhere else on the web.

Additionally, keep all of your passwords safely backed up in a secure location and change them on a regular basis. Setting a calendar reminder to change your passwords every 90 – 120 days is a good idea.

Get SolidWP tips direct in your inbox

Sign up

This field is for validation purposes and should be left unchanged.
Placeholder text
Placeholder text
Thanks

Oops something went wrong, please try submitting again

Get started with confidence — risk free, guaranteed

Best Password Strength Checker

You can find many different online tools to assess the strength of the passwords you use. One of these tools is Security.org’s password checker.

If you plug in a 14-character password with a good mixture of letters, numbers, and special characters into the checker, you’ll learn that it would take a bot over 200 million years to crack your password.

However, a bot could crack your password within three years if it has 12 characters using only letters and numbers.

A 10-character password containing only letters will take 58 minutes for a bot to crack.

It’s amazing what difference two characters can make in providing security to your website!

When it comes to multi-word passwords or passphrases such as “Deercloudgranitecheese,” you will see that it would take 44 quintillion years to crack.

A deer, cloud, granite, and cheese — a memorable and strong password once you’ve seen it and can’t forget it.

Top 5 WordPress Password Security Tips

Using 'admin' is a no-no for WordPress password security.

Don’t Share Passwords

Sharing your password with others can be as silly as randomly handing out extra house keys to people you don’t know. If you have to give a password to third-party vendors, change it once their work is complete. Solid Security’s temporary privilege escalation feature makes this simple.

Don’t Reuse Passwords

Use a unique password for every account you have.

Require Strong Passwords

WordPress password security is about more than just your password. If you’re using a 5-star, crazy good password but another admin account has a weak password, your whole site is still vulnerable. But you can force all the users on your WordPress site to use strong passwords with Solid Security.

Good WordPress password security requires strong passwords. You can require them in WordPress.
Strong password! That’s what you want to see.

Don’t Use Admin as a Username

Never use “admin” as your username. (If that’s your username, change it now.) Don’t use anything else that’s easily guessed either, and if you can use a different username on every site, that’s ideal.

Solid Security has a feature to automatically block logins that use “admin” for the username.

Limit Login Attempts Allowed

This might not stop hackers from cracking your password, but it will stop bots from repeated password guessing on your site.

(Solid Security has a feature to limit logins as well.)

Boost Your Password Security With Strong Passwords

WordPress security has been a big issue in the past year and we’re taking it seriously. But one of the most important things you can do has little to do with WordPress. It’s all about your password. If you want your site to be safe, worry about your WordPress password security.

Six Simple Rules for Strong Password Security:

  1. Use different passwords on different sites: The first rule of password security is to use different passwords for different sites. People are lazy, and they use the same password over and over again. That’s easy, but all it takes is one breach, and all your logins are compromised. Oops. It’s tough, but you must use a different password for every site.
  2. Be consistent with some unique differences: One way to use different passwords you can remember is to have a base password that you can remember and then tack on something different for each site. You might add the first few letters of the specific site. So if your password is pEan%t, then for Google, your password might be pEan%tGOOG, and for WordPress, it might be pEan%tWORD. That’s a simple and fairly predictable example, so don’t use it.
  3. Don’t be predictable: That’s the second rule of password security — don’t do anything predictable. And you’re more predictable than you think.
  4. Use long passwords: You want your password to be long. You don’t have to go crazy with it, but six characters is unacceptable. You want at least eight—probably more. WordPress accepts spaces in the password field, so you can make it a sentence or phrase.
  5. Use many types of characters: Use upper and lower case letters, numbers, and symbols in your password. Add some complications. Make it weird.
  6. Don’t use real words or phrases: It will make your passwords harder to remember but stronger if you don’t use a real word or phrase. A long password that’s your favorite quote may not be as secure as you think — unless you translate it to a few dead or made-up languages and it doesn’t appear anywhere on the internet. This advice is optional since you might want to give up some security to gain memorability. Making the password longer will compensate for it using real words, so if you make it 8, 10, or 12 characters long, it will still be very hard to guess.

Use a Password Manager

Truly strong passwords are ridiculously long and full of numbers, symbols, and random capitalization. They don’t contain any real words or phrases. And you have a different one for every single site.

So they’re impossible to memorize.

That’s no good — unless you get some help.

The solution to WordPress password security — and password security everywhere — is to use a password manager such as 1Password or Bitwarden.

You’ll have a master password for the service that needs to be something you can remember. Then the password manager locks down all these passwords on your computer, so even if it’s stolen, hackers would need your master password to get at all your other passwords. That could well happen, as we’ve seen with LastPass.

Use Two-Factor Authorization

To really boost WordPress password security, you don’t want to rely on a password alone. You want to use what’s called two-factor authorization. This is where logins require two pieces of information — something you know (your password) and something you have. Something you have can be accomplished with an app such as Authy that verifies who you are using your phone.

It adds an extra layer of security to your accounts. Google, Dropbox, Apple, Twitter, and Facebook support it, so this isn’t fringe paranoia.

The Solid Security plugin gives you two-factor authentication for your WordPress website. Even better, you can use passwordless logins and Passkeys.

Lock Down Your WordPress Website

For the most rock-solid site security you’ll find for WordPress, try using the powerful WordPress security plugin, Solid Security Pro.

Solid Security Pro offers 30+ ways to secure and protect your website from ever-present WordPress security vulnerabilities. With WordPress two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Did you like this article? Spread the word: