Having a strong password for your WordPress site is one of the basic steps to maintaining good security posture and hygiene. Strong passwords, however, are a pain to create, and to remember… unless you have a few handy tips and tricks.
Passwords are by no means the perfect way to authenticate users. This is why methods like Captcha and two-factor authentication exist. However, most of the time, they’re used as secondary authentication methods . This is because passwords are familiar to us as they have been used for a while (remember ‘Open Sesame’?). As a result, we programmed computers to process them easily too. What needs to be noted, however, is that the same things which make passwords easy to process and cross-check by computers, also makes them ‘bot-crackable’.
Brute Force and Dictionary attacks are automated, so bots don’t even need hackers’ intervention to break into your WordPress site. Using a weak and common password is as good as giving your password to the hacker. This is why it’s important to choose strong passwords.
WordPress has; since version 4.3, included an option for users to generate strong, random passwords, but they’re almost impossible to remember. This is the problem with passwords– if they’re easy to remember, they’re also easy to guess; on the other hand if they are overly complex or random it is very hard to remember them.
The real problem occurs when users concoct a supposed random string because we have all been told that we need to use strong passwords. And just as the popular comic strip from xkcd shows, such passwords may make it harder for us to remember them without making it much harder for bots to crack them.
To understand what a strong password looks like, you have to understand how passwords are cracked. Passwords are usually guessed by bots during Brute Force or Dictionary attacks. While Brute Force attack bots try every different combination of characters to try and crack a password, bots performing Dictionary attacks enter a set of commonly used passwords to see if there’s a match.
Guidelines for Setting a Strong Password/Passphrase for Your WordPress Site:
1. Longer passwords are stronger passwords
With every character added to your password, it gets stronger against Brute Force attacks. In general, passwords that exceed 8-10 characters are not typically crackable via Brute Force bots. However, with the advancement in technology, the computational ability of these bots also increases. The safest bet is to have a passphrase, of 15 characters in length or more.
2. Strong passwords don’t have common replacements
Strong passwords do not use common common number-for-letter replacements (1337speak). This is because bots performing Brute Force attacks try every possible combination of characters.
3. Strong passwords contain uncommon words
Even when you use a ‘passphrase’, common words and common passwords are easily crackable by Dictionary attack bots. This means the more commonly used words your password contains, the weaker it is. According to an infographic by Splashdata, the top 25 most commonly used passwords are:
- Numbers in order: From ‘12345’ to ‘1234567890’, the numbers in order made up for 7 out of 15 top passwords used.
- Letters in order: These are a commonly used password too. ‘qwerty’ has been one of the world’s most common passwords since 2014. ‘abc123’ is another common password too.
- Based on common sports and interests: This is the category that ‘football’, ‘baseball’, and Star Wars-related passwords like ‘solo’, ‘princess’ and ‘starwars’ fall under.
4. Strong passwords don’t contain your publicly known details
Ensuring that they do not contain personal, yet well known details about the user. Suppose you blog frequently about your favourite band, it would be unwise to use the band’s name as your WordPress site’s password. If targeting your site, hackers could use social engineering to guess your password.
5. Strong passwords use a combination of uppercase, lowercase, and special characters
Every character of a different type can be guessed only when the set (that the character belongs to), is checked. ‘p’ belongs to a set of lowercase letters consisting of 26 letters, while ‘P’ belongs to a set of uppercase letters consisting of 26 letters. If your password/passphrase contains letters of both cases, bots will have to try both sets. Most bots use a general formula when cracking passwords:
(characters of a certain type in the password) number of characters of that type
(characters of a different type in the password) number of characters of that type
So, for example, even if your password were as simple (and weak) as ‘password85’, the number of attempts a bot has to make to crack password would be (26)8 * (10)2 attempts.
Just using ‘P’ instead of ‘p’ would mean that the bots would need (26*2)8 * (10)2 attempts. However, while this looks like it’s a difficult password to crack, good bots try a few million passwords every second. Having letters and characters mixed up makes the password more unpredictable, and hence makes the bot’s job more difficult. A good password could take years to crack.
Enforcing a strong password is essential to keeping your WordPress site safe, but it doesn’t have to be a difficult task, or something that is impossible to remember. Choosing a passphrase wisely is key to reducing the risk to your WordPress site’s security.
There is no such thing as a completely secure website though, so the wise thing to do, would be to use a WordPress firewall to keep attacks at bay, in conjunction with enforcing a strong passphrase. Investing in an accurate, intelligent malware scanner and cleaner helps remove any malicious code that may have made it to your WordPress site.