There are dozens of ways a WordPress website might get hacked. There’s site hijacking, vulnerability manipulation, or a good ol’ DDOS attack. Some attacks only work on little websites with minimal infrastructure. Some attacks only work on big websites with a lot of traffic or data to steal. But there’s one security concern that every WordPress site, no matter how big or small, should be worried about: Passwords.
Passwords that are too easy, too simple, or too obviously guessed if you know the person who chose the password. Hackers used to have to really research a person and then guess their passwords. But it’s even worse today, where they can use AI to skim your social media for keywords and brute-force software to guess-and-check every possible variation of letters, numbers, and words. And if even one of your WordPress contributor accounts gets hacked, your entire website could be at risk.
That is exactly why it’s still so important to make sure not only your admin passwords but every new user password is strong. Today, we’re going to take a look at two wrong ways to make your WordPress passwords stronger, and one surefire method for both building and remembering really strong passwords.
Password Security vs Convenience: Don’t Use a Password Manager
In a perfect world, each person could have a password that looks like “Au&sk%624hJ!” and have that be easily remembered. But human brains don’t work like that. We remember words, patterns, and concepts, not random strings of characters. Which is exactly why people tend to make weak passwords even though they know better and are warned by every single website where they make an account.
Some people fall back on a manager, a place to copy-paste your passwords in and out of so you can use completely nonsensical passwords. But this also has a few security weaknesses. First, if anyone gets ahold of or manages to access your password manager account, that’s every single one of your accounts exposed. And second, if you ever find yourself unable to access the password manager, you are effectively locked out of your accounts. So we don’t actually recommend this route despite its popularity in other WordPress guides online.
Essentially, there is a basic conflict between the two concepts of security and convenience. If something is convenient (like staying auto-logged in or having your passwords remembered by a device), then it’s probably not secure. And if something is secure (like nonsensical passwords or two-point authentication) then it’s probably not convenient.
Brute Force Password Guessers: Don’t Use the 3 Words Method
In the last year, there has been a popular rumor that there’s a “quick and easy” way to create strong passwords without using any numbers or special characters. It’s called the three-words method. And to do it, all you have to do is string three random words together to create one long but simple password. This is a myth, a fad, and a terrible idea. And we’ll happily tell you why.
Earlier, we mentioned that hackers can use a ‘brute force’ attack to simply guess and try a large number of passwords based on some kind of pattern. There are brute force attacks that try every word in the dictionary or those that guess PINs by trying every combination of four or six numbers.
So three words in a row (even spelled with L337 speech) is no real challenge for hackers with brute force programs in their arsenal. Sure, you may have heard that the passwords are ‘long enough’ to foil the hackers. Or that three words are too much to brute force. This is incorrect and a three-word policy will make your website, accounts, and users vulnerable.
Nonsense Passwords that Make Sense: The Acronym Method
So how do you build a strong password and remember it? Or, more to the point, how do you help your countless WordPress users to build and remember strong passwords without a password manager or any not-so-helpful tricks? The answer is Acronyms!
An acronym is a word or combination of letters that stand for a sentence. The classic LOL, for example, is an acronym for Laughing Out Loud. We also use acronyms to remember things better, like Never Eat Soggy Waffles to help small children remember their direction North East South West. And by using acronyms, you and all your WordPress users can build strong passwords AND remember them. Here’s how you do it:
1) The Number of Characters = The Number of Words in Your Acronym
First, determine how long your password needs to be. Many of us have struggled as password minimums rise beyond our old standby password lengths. Do you need six characters, eight, or twelve? The number of characters you need for a password will determine the number of words in your acronym. For example, let’s say these are your requirements:
- 8 Characters
- At least 1 Number
- At least 1 Capital Letter
- At least 1 Symbol
This may sound hard, but we can work with it!
2) Write a Funny Sentence
The next part is the most fun. Challenge yourself (and your users) to use that number of words to write a funny sentence that will be amusing to remember. Our minds remember jokes a lot easier than passwords. This sentence can be anything. It can be an inside joke from your life, feature funny words you like to say, or tell a story. This writer likes to use jokes about fuzzy animals and baked goods, but you can use anything you want. As long as it’s memorable and you smile a little every time you think of it. Because you will be thinking of it every time you log in.
Here are three examples to give you an idea of your real freedom here. Note how each has exactly 8 words.
- Those Flying Monkeys Can Play a Mean Accordion
- Don’t Touch That Dial, We’ll Be Right Back
- This Is Stupid I Hate Making New Passwords
3) Password-ize It!
The final step is to turn your funny sentence into an acronym, and an acronym that is password-worthy. This means that your password will start by being made of the first letter of each word in the sentence. Then you will choose specific letters to capitalize or turn into a number or symbol. The key here is to use intuitive transformations. Things that you feel when you say the sentence in your head, like where emphasis goes or the most important words. This will make the alterations easier to remember.
Thus, our examples would transform like so:
- Those Flying Monkeys Can Play a Mean Accordion
- tfmcpama
- 7fMcp4mA
- Don’t Touch That Dial, We’ll Be Right Back
- dttdwbrb
- D77dWb@b
- This Is Stupid I Hate Making New Passwords
- tisihmnp
- t!5IhmnP
Voila! Nonsensical Passwords That Make Sense to You
And that’s all there is. By following this process, you can make passwords a hacker has no chance of guessing AND you can actually remember the random combination of letters and symbols. Because it’s not random, not to you. In your mind, you’re telling yourself a joke every time you log in. So rather than feeling frustrated, you get a little chuckle instead.
And you can give the same gift to your WordPress users by creating an account creation page that walks them through the acronym process. Once everyone in your site has a strong funny password, your security will passively increase in a significant way. Because hackers won’t be able to crack even one of your user passwords to gain unauthorized access to user permissions or data.
—
For more great WordPress security insights, contact us today!