Menu

A Plethora of Passwords

How to create strong passwords, and why you should care.

Image by goodmami (CC BY-SA 2.0)

There are a number of irritating things experts insist you must do for your own good: eat nine servings of veggies a day; maintain a diverse retirement portfolio; check your transmission fluid every month. Most of us ignore a lot of this advice, because there’s no end to it, and our lives are complicated enough.

Photo by Kit

Photo by Kit

As a habitual good advice ignorer myself, I realize that when I tell you I’m here today to talk about passwords, you’ll want to tune me out. But wait! Good password hygiene is more important than flipping your mattress.

Think of your passwords as keys to your online house. You wouldn’t have the same key unlock your house, your office, your car, and your safety deposit box, would you? So why would you use the same password for your blog, PayPal, your bank’s website, your email, and any number of other sites and online services?

Yet many people do. And just as you wouldn’t lock up your house with a sailor’s knot, why would you lock up your blog with your easily guessed pet’s name?

Password Dos and Don’ts:

  • DO use strong, long passwords.
  • DO use a different password for each account.
  • DO invest in a password manager.
  • DON’T write your passwords down, email them, or share them with anyone.
  • DON’T forget to log out on shared computers.
  • DO enable two-step authentication where available.

It’s extremely important to protect yourself online. Were a hacker to crack your WordPress.com password, they could permanently delete everything on your blog before you even knew they were in it, and as devastating as that would be, it’s nothing compared to the pain of identity fraud.

Not to alarm you — at WordPress.com, we monitor potentially harmful activity to ensure there is no unauthorized access to your content, and we take security very seriously. Even so, it’s important that you protect yourself as well. Here’s how:

Create strong passwords

When I say strong, I don’t just mean difficult for a person to guess. (I’d hope that all of you know better than to use one of these 25 most-used passwords.) Hackers use computer programs to break passwords, so even if your selected password is bizarre or random, that doesn’t mean it’s strong enough.

Many login forms prompt you to create a password of random letters, numbers, and symbols. But such a password (for example,  jal43#Koo%a) is actually very easy for a computer to break. The latest and most effective types of password attacks can attempt up to 350 billion guesses per second, and hackers are continually improving their efforts.

Instead, try using four or more random words in a long string, or passphrase, as described in this comic from xkcd.com:

xkcd

Courtesy of xkcd.com

Use unique passwords and a password manager

Now that you have your strong passphrase, don’t turn around and use the same one for all of your sites. You should use a unique password for every, single site that you log into online.

Naturally, it’s difficult, if not impossible, to remember all of those different passwords, though. And you should never store your passwords in a text document on your hard drive, or write them down on a piece of paper, as these methods are kind of like putting all of your money into a shoebox and locking it in the trunk of your car.

Instead, use a password manager, such as LastPass1Password, or one of the additional password managers we suggest here. With a password manager, you need only remember one single strong master password. That password will unlock the password manager, which will integrate with your browser to unlock all of your online services without your having to remember any of them.

Not all are free, and it might be an afternoon’s time investment to put all your passwords into the password manager (not to mention change your existing weak passwords to stronger ones), but it’s time and money very well-spent.

Other tips

Additionally, if you ever use a shared computer, be sure to explicitly log out of all of your accounts before leaving it. Browsers sometimes remain logged into websites for convenience, and you don’t want your account to be accessible to the next person who comes along.

Warning! Never, ever email your password to anyone, even support staff of the online service you’re attempting to use. If anyone ever asks you to provide them with a password over email, you should be very suspicious and should probably refuse.

And finally, many services (including WordPress.com) are now providing two-step authentication, which sends a code to your mobile phone when you log in. This is very secure, because a remote hacker will not have access to your mobile device and so even if your password is cracked, two-step ensures that your account stays safe.

I hope that I’ve convinced you to start taking steps to improve your online security. It’s a hassle, sure, but as with most annoying good advice, it becomes easier to follow the more you make a habit of it. Now, go eat some broccoli!

Show Comments

76 Comments

Comments are closed.

Close Comments

Comments

    1. Headache, it seems. The other day one teenage computer geek told me when you’re online, everything on your hard drive gets uploaded to ‘someone’. God knows the truth. In that case, we need a blank computer to go online!

      1. I’ve never been hacked directly though I am online a lot and have been for many years. I am careful where I go and what I do while I’m there. Unfortunately, my bank and several major vendors I use HAVE been hacked and it seems to my biggest danger is not hackers who are after me but those who are after WordPress and similar large organizations. That’s where huge amounts of user data are stored and that’s what hackers are after. My passwords are fine thank you … but they won’t stop hackers from getting into the servers where my personal information is stored. My passwords might stop an amateur who is just messing around from getting in … but that’s not what I worry about.

        No one has addressed the not-so-minor detail of “cloud” and “server” security. Until that issue is at least discussed, this conversation is just blather. No matter what I do, my computers remain exactly as vulnerable as the organizations whose services I employ.

        So what about WordPress? Don’t say “impossible.” NOTHING is impossible. Not after I’ve been hacked through Bank of America and Adobe, among others.

        Impressing the importance of security on users is a nice way to never answer the question : “And what measures are YOU taking to protect ME?”

        It’s a valid question. I’d like to hear a genuine response.

  1. Note : I DON’T HAVE A MOBILE PHONE. I wish you’d stop asking for its number. Really annoying. Some of us don’t use them and don’t need them. They are expensive and if you aren’t on the road much — and you own real cameras and don’t text — life can proceed just like it used to before everyone felt they had to be connected and available to the entire world 24/7. I WANT to be out of touch sometimes. Those phones are an electronic leash. You are never free, never alone, never unreachable. Worse, you can’t make a simple phone call and get decent audio and not have the call drop in the middle. Phew. I feel better now.

      1. Fortunately, I have the kind of stuff on my computer in which no one is particularly interested. My bank has been hacked (Bank of America). Adobe was hacked. Lands End was hacked. I’m a customer of all three. If THEY get hacked, I think my paltry security efforts are not likely to stop a determined hacker. It’s like home security systems and car alarms. Any thief who really wants to break in is going to do it and none of our little alarms systems or codes is going to stop them. I try to make sure that critical information isn’t on my computer. MY computer guy pointed out that hackers are looking for salable information. Mailing lists. Credit card number, preferably a lot of them. They aren’t looking for my photographs or manuscript files. Before we get all lathered up, it’s worth considering how much of a target each of us really is. Then take a few deep breaths and put the whole thing into perspective.

        If they got through to Bank of America, Lands End and Adobe, if they want YOU or ME, they will get us. I know people who could hack the CIA if they wanted to. We all need to calm down. Yes, we might get hacked. I’ve been hacked. I’ve had to change email addresses, change passwords, clean applications … but it’s never been MY computer or ME that was the target. It was always Facebook or someplace from which I buy things or whose services I use. Before you get crazy over this, think about that. Because you are only as safe as the place you go and the services you use.

    1. The growth of mobile use shows no signs of slowing. Mobile data traffic worldwide will increase 13 times by 2017. By 2017, there will be more than 10 billion mobile-ready devices and M2M connections, up from 7 billion total mobile-ready devices and M2M connections in 2012.

      Consider these mind boggling facts:

      there are more people who own mobiles than those who own toothbrushes;
      millions have mobile devices but no electricity;
      by 2015 a majority in the Middle East and Southeast Asia will live “off-grid, on-net”;
      and, by the end of this year there will be more mobiles on the planet than there are people.

      I don’t own or want to own a cell phone but I acknowledge that legions of users do and that WordPress.com Staff are focused on making this site mobile friendly.

      I just ignore the request for a mobile phone number because the request in no way, shape or form has the power to affect my life, unless I choose to work myself up over it and I don’t. My recommendation is to focus on your blogging rather than waste time and energy sweating the small stuff that doesn’t matter.

      1. That’s what everyone I know who has one does and I’m LOL at this lengthy off-topic falalalala going on here.:D

        Do you leave your home with your phone and have it with you at all times?

        Do you refuse to read and follow written instructions and demand to “speak to a human being” when dealing with businesses online?

        Do you sleep with your phone?

        If you answer yes to those then the bad news is that you are probably a cellphone addict who may also suffer from nomophobia.

        The good news is that you can control all of that. No electronic gadget can control your life or even affect it, unless you allow it to.

    2. “Electronic Leash”–great description. I find myself longing to be out of touch. Thanks, and glad you feel better…

      1. One day, I realized I never — and I mean really NEVER — voluntarily used my cell phone. And moreover, I didn’t want to be reachable all the time. I cancelled my service. What a relief! $50 a month to spend on something else … and peace reigns when I am not home!

    3. they aren’t that bad/expensive. I’ve an old banger which I habitually turn off when I don’t want to be available. It does the job (decent calls, texts, weeklong battery life, as it’s not a smart phone) and it’s on pay as you go. I also have an older model smart phone which I only use as a camera/iPod and not for phonecalls ;-) you can use mobiles rather than be used by them.

      1. Why bother? Really. What purpose does it serve? I use cameras to take pictures. I make my calls from home and anyone who needs to reach me when I’m out can leave a message. My home phone costs me $4.99/month and the price will never go up. For unlimited calls to the entire US, Canada and Mexico. Why do I need a mobile phone? I’m not even especially mobile.

      2. you have a point, if you don’t need it you don’t.

        Just to stay on topic: I’ve no particular fear of passwords. The list of 25 most used ones was rather funny. Who knew monkey was so popular!

      3. I am more worried about the security of the servers on which my information is stored than the power of my individual passwords. Hackers target servers that have customer information for large numbers of people. If WordPress (for example) got hacked, the strength of my personal password would be irrelevant. The ONLY time my “stuff” has been compromised is when the servers that store my personal information were hacked. I was merely collateral damage.

      4. Hey all – this is an interesting subject, but a bit off-topic to this post. Let’s keep comments to the subject of passwords and online security. :)

        If you have strong opinions about mobile phones, please do blog about it!

    1. Yeah – I considered using a password manager, but then realized if ever it was hacked it’d just be full access. I could understand using it if they vowed super-protection because you ritually sacrifice a cup of coffee, but collecting everything in one place just doesn’t seem safe.

      Has anyone else had a good/bad experience with password managers?

  2. Wow, I never actually thought to think of passwords like keys, but although it comes of as unusual it makes sense as to why we should view passwords extremely valuable as do many of us do use PayPal ect.

  3. Thanks so much for posting this article. I don’t know what I’d do if my entire blog was wiped out after all the work I’ve put in. It’s a lot of work to write for one, not to mention 2 blogs, so it would be devastating if anything happened. It seems like a no-brainer to take the necessary steps to safeguard my password(s). Thanks again! Going to eat some broccoli now! :)

  4. I keep all my passwords listed in the notes section of my phone since I always make them a random mixture of letters and numbers jumbled together and usually I forget them just about as soon as I create them. That being said – sure hope I never lose my phone!

    1. I recently learned that it’s easier to hack a cell phone than it is a computer. If you’re storing all your passwords on your cell phone, I hope you aren’t being specific… (for example: WordPress – Monkey123; Email: 123Monkey, etc.) If someone wants to target you (very unlikely) you’re handing them the info. Just an FYI.

    2. I bought an iPod at the local thrift shop the other day. It was an older model, uncharged, and the staff didn’t even know if it worked. So I gave them a few dollars and took it home — WOW! Whoever donated it had EVERYTHING stored on it — bank accounts, passwords, credit card #s, SS#s, every piece of confidential financial info a thief could want! They’re lucky it fell into honest hands — I deleted all those files post haste.

      So be careful when you update your electronics!

      1. Wow, I can’t believe this person failed to “wipe” their phone before they gave it away. Good thing you were the one who came into possession of it–they could have been in a world of hurt. Whenever I give away/sell an obsolete (for me) computer, cell, etc., I am obsessed with the “backup-wipe-wipe again-run it to make sure it’s wiped ritual. OK, I am on the Spectrum, but I don’t think that accounts for my security-protection obsession.

  5. I have so many different passwords, it’s amazing that I can keep up with any of them….and with all the hacking going in sometimes it hard to keep track….

  6. Unfortunately, I am all too familiar with the topic of strong passwords. It has taken me 6 years, one desktop, 2 laptops, 2 tablets, 2 cell phones and $300 to Omni Tech to rid my electronics of my computer hacking ex. Strong passwords are a MUST in todays world. We don’t realize how much personal info is stored in our electronics (for example, I use Amazon quite often. So often that my payment info is automatically stored to make checking out easier.) Well, every time I bring a new electronic into my house, they all sync. So, just because I don’t necessarily use my cell phone to order from the site, my info is right there for the taking, should my password be weak. And as troublesome as it is, changing passwords at least once a month is a very good thing to consider. After Omni Tech did a scan on my 2 week old laptop, they were able to tell me that more than one person had been in my computer. That’s very scary when you actually stop and think of all the personal info these strangers had in the palm of their hands… I do hope you all take this post seriously.

  7. Thank you for such a relevant article, I have never seen it explained so well about having a simple 4 word password rather than a complicated affair that we cannot remember.
    I have always been a bit sceptical about password safes, I love the idea but I am just not sure if I really trust them!

  8. Thanks so much Elizabeth! I am on vacation next week and will spend some time working on my password management. Will used the tools you suggested. Had no idea a hacker could delete ALL my content! How naive of me. Thanks again for the tips.

  9. There are clearly pros and cons to each system and surely the problem with a password manager is that if somebody hacks your computer then they have access to everything? I’m not content putting all my eggs in one basket, personally.

  10. The only problem is that not every site that requires a password allows for long passwords I have a bank that will only let me do a short passoword, and another site doesn’t allow spaces but requires it to be exactly a certain number of characters and two of everything. It makes it really hard to come up with stuff because everyone’s trying to second guess the hackers.

  11. I didn’t know there was such a thing as a password manager. What a great idea. I’m going to invest some time in using one, because I just can’t remember all our passwords and it can become very confusing. Thanks for this informative post. And I love your sense of humour!

  12. Excellent advice, except: 1Password is unreliable, and it’s a good thing I have my passwords stored (somewhere) offline, because in its last “upgrade” it lost all my passwords. And: I live part time in the US, and part time in another country (not a unique situation, and many, many, many WP users live in countries other than the US of A, so 2-step authentication is really not an option for us. תודה רבה ויום טוב לכולם!

  13. Very good. I tend to consider myself very up to date with technical stuff – as it was my “business” in a former life. However, I’m not nearly as diligent on this front as I should be. One thing I’ve started doing though … coming up with some crazy, random letters and numbers … and then in my head, making a silly sentence so I can remember it.

  14. With such things as facebook, twitter, tumblr etc, social media is taking its step up a notch to secure their users from hackers. However safety is still an issue. Coming from a I.T in the making, I would advise everyone to create sentences in which the first letter of each word in the sentence could be a letter or number to the password. An example would me. I Loved To Get Ice Cream On My 12th Birthday. The password could then be ILTGICOM1B . (Not that this is my password for anything, so hackers beware). Just a food for thought.

  15. great points, but now who is going to remind you how to get into the password that you create for the manager? just a little hummer for thosee of us who might need a memory jolt evry now and then.

  16. Hello Liz
    I must say that this post is very informative and I agree. I have issue with memory so i try to use passwords that are rather unique . great job please keep it up

  17. One of my friends changes password for banking – everytime he does some online shopping. When asked, he says it makes sense to change password for security purpose.
    I think it is a good way to secure banking. Any suggestion for it.

  18. Useful advice about long passwords. Not so convinced about password managers as opposed to paper – last time I checked it was not possible to hack a piece of paper! The chance of a burglar breaking into my home and finding it is remote, why would they bother, and they can be well hidden.

  19. Passwords are the bane of my life! I have three email accounts, which I use for different things. One is dedicated to writing, one for friends/family and another for shopping. That means three passwords. Then there are several bank accounts — more passwords. Not to mention Facebook, WordPress, Supermarket etc, etc. I do quite a bit of online shopping, and I prefer it if the site uses PayPal as one of the options of paying. Recently I was speaking with my bank, and they suggested they open a separate account for me dedicated to online shopping. When I want to shop online, I transfer money from my main account to that account and just leave a balance of $5. If anyone were to try and hack my bank account, all they are going to get is $5. Unfortunately, because there are some evil people around, passwords themselves are a necessary evils.

    1. Yes! What you said… and worse is when you type in your password correctly and the site says it doesn’t recognize it. Which has happened to me on my word press mobile account many times. I got rid of two step authentication, because most of the time I couldn’t even get in.
      That mini-rant completed, I do appreciate this post and the tips. I’m off to think up some good 4 word phrases…

  20. Excellent advice, too often with computers we choose the complex path when a more simple and effective solution is right in front of us.

  21. I’ve been using LastPass for a few years now and it’s great for keeping up with all of the logins and passwords you have to create. Highly recommended!

  22. Hi!!-Yes I loved it!-The very issue of passwords has always been worth my attention because you can always win, one of my old long passwords was 7TofuRed- Like SOUP514 these were all meant to be environmental sounding passwords to the ears but they cost me a lot to make up in the long run I finally accepted my mistakes and realize your expert advice cleared things up in 4 minutes so thank you I haas a good time with the help you gave me Elizabeth!-Take Care!

  23. Very useful stuff and great tips. You made things simple to understand by giving perfect example of online house and key. I will take care. Thanks!

  24. This article, although it was informative, didn’t really excite me, however, The image of the keys has given me inspiration for a short story, maybe I will share it when I get it finished
    Thank you for that