Menu

A Plethora of Passwords

How to create strong passwords, and why you should care.

Image by goodmami (CC BY-SA 2.0)

There are a number of irritating things experts insist you must do for your own good: eat nine servings of veggies a day; maintain a diverse retirement portfolio; check your transmission fluid every month. Most of us ignore a lot of this advice, because there’s no end to it, and our lives are complicated enough.

Photo by Kit

Photo by Kit

As a habitual good advice ignorer myself, I realize that when I tell you I’m here today to talk about passwords, you’ll want to tune me out. But wait! Good password hygiene is more important than flipping your mattress.

Think of your passwords as keys to your online house. You wouldn’t have the same key unlock your house, your office, your car, and your safety deposit box, would you? So why would you use the same password for your blog, PayPal, your bank’s website, your email, and any number of other sites and online services?

Yet many people do. And just as you wouldn’t lock up your house with a sailor’s knot, why would you lock up your blog with your easily guessed pet’s name?

Password Dos and Don’ts:

  • DO use strong, long passwords.
  • DO use a different password for each account.
  • DO invest in a password manager.
  • DON’T write your passwords down, email them, or share them with anyone.
  • DON’T forget to log out on shared computers.
  • DO enable two-step authentication where available.

It’s extremely important to protect yourself online. Were a hacker to crack your WordPress.com password, they could permanently delete everything on your blog before you even knew they were in it, and as devastating as that would be, it’s nothing compared to the pain of identity fraud.

Not to alarm you — at WordPress.com, we monitor potentially harmful activity to ensure there is no unauthorized access to your content, and we take security very seriously. Even so, it’s important that you protect yourself as well. Here’s how:

Create strong passwords

When I say strong, I don’t just mean difficult for a person to guess. (I’d hope that all of you know better than to use one of these 25 most-used passwords.) Hackers use computer programs to break passwords, so even if your selected password is bizarre or random, that doesn’t mean it’s strong enough.

Many login forms prompt you to create a password of random letters, numbers, and symbols. But such a password (for example,  jal43#Koo%a) is actually very easy for a computer to break. The latest and most effective types of password attacks can attempt up to 350 billion guesses per second, and hackers are continually improving their efforts.

Instead, try using four or more random words in a long string, or passphrase, as described in this comic from xkcd.com:

xkcd

Courtesy of xkcd.com

Use unique passwords and a password manager

Now that you have your strong passphrase, don’t turn around and use the same one for all of your sites. You should use a unique password for every, single site that you log into online.

Naturally, it’s difficult, if not impossible, to remember all of those different passwords, though. And you should never store your passwords in a text document on your hard drive, or write them down on a piece of paper, as these methods are kind of like putting all of your money into a shoebox and locking it in the trunk of your car.

Instead, use a password manager, such as LastPass1Password, or one of the additional password managers we suggest here. With a password manager, you need only remember one single strong master password. That password will unlock the password manager, which will integrate with your browser to unlock all of your online services without your having to remember any of them.

Not all are free, and it might be an afternoon’s time investment to put all your passwords into the password manager (not to mention change your existing weak passwords to stronger ones), but it’s time and money very well-spent.

Other tips

Additionally, if you ever use a shared computer, be sure to explicitly log out of all of your accounts before leaving it. Browsers sometimes remain logged into websites for convenience, and you don’t want your account to be accessible to the next person who comes along.

Warning! Never, ever email your password to anyone, even support staff of the online service you’re attempting to use. If anyone ever asks you to provide them with a password over email, you should be very suspicious and should probably refuse.

And finally, many services (including WordPress.com) are now providing two-step authentication, which sends a code to your mobile phone when you log in. This is very secure, because a remote hacker will not have access to your mobile device and so even if your password is cracked, two-step ensures that your account stays safe.

I hope that I’ve convinced you to start taking steps to improve your online security. It’s a hassle, sure, but as with most annoying good advice, it becomes easier to follow the more you make a habit of it. Now, go eat some broccoli!

Show Comments

76 Comments

Comments are closed.

Close Comments

Comments

    1. Headache, it seems. The other day one teenage computer geek told me when you’re online, everything on your hard drive gets uploaded to ‘someone’. God knows the truth. In that case, we need a blank computer to go online!

      Like

      1. I’ve never been hacked directly though I am online a lot and have been for many years. I am careful where I go and what I do while I’m there. Unfortunately, my bank and several major vendors I use HAVE been hacked and it seems to my biggest danger is not hackers who are after me but those who are after WordPress and similar large organizations. That’s where huge amounts of user data are stored and that’s what hackers are after. My passwords are fine thank you … but they won’t stop hackers from getting into the servers where my personal information is stored. My passwords might stop an amateur who is just messing around from getting in … but that’s not what I worry about.

        No one has addressed the not-so-minor detail of “cloud” and “server” security. Until that issue is at least discussed, this conversation is just blather. No matter what I do, my computers remain exactly as vulnerable as the organizations whose services I employ.

        So what about WordPress? Don’t say “impossible.” NOTHING is impossible. Not after I’ve been hacked through Bank of America and Adobe, among others.

        Impressing the importance of security on users is a nice way to never answer the question : “And what measures are YOU taking to protect ME?”

        It’s a valid question. I’d like to hear a genuine response.

        Like

  1. Note : I DON’T HAVE A MOBILE PHONE. I wish you’d stop asking for its number. Really annoying. Some of us don’t use them and don’t need them. They are expensive and if you aren’t on the road much — and you own real cameras and don’t text — life can proceed just like it used to before everyone felt they had to be connected and available to the entire world 24/7. I WANT to be out of touch sometimes. Those phones are an electronic leash. You are never free, never alone, never unreachable. Worse, you can’t make a simple phone call and get decent audio and not have the call drop in the middle. Phew. I feel better now.

    Liked by 3 people

      1. Fortunately, I have the kind of stuff on my computer in which no one is particularly interested. My bank has been hacked (Bank of America). Adobe was hacked. Lands End was hacked. I’m a customer of all three. If THEY get hacked, I think my paltry security efforts are not likely to stop a determined hacker. It’s like home security systems and car alarms. Any thief who really wants to break in is going to do it and none of our little alarms systems or codes is going to stop them. I try to make sure that critical information isn’t on my computer. MY computer guy pointed out that hackers are looking for salable information. Mailing lists. Credit card number, preferably a lot of them. They aren’t looking for my photographs or manuscript files. Before we get all lathered up, it’s worth considering how much of a target each of us really is. Then take a few deep breaths and put the whole thing into perspective.

        If they got through to Bank of America, Lands End and Adobe, if they want YOU or ME, they will get us. I know people who could hack the CIA if they wanted to. We all need to calm down. Yes, we might get hacked. I’ve been hacked. I’ve had to change email addresses, change passwords, clean applications … but it’s never been MY computer or ME that was the target. It was always Facebook or someplace from which I buy things or whose services I use. Before you get crazy over this, think about that. Because you are only as safe as the place you go and the services you use.

        Liked by 1 person

    1. The growth of mobile use shows no signs of slowing. Mobile data traffic worldwide will increase 13 times by 2017. By 2017, there will be more than 10 billion mobile-ready devices and M2M connections, up from 7 billion total mobile-ready devices and M2M connections in 2012.

      Consider these mind boggling facts:

      there are more people who own mobiles than those who own toothbrushes;
      millions have mobile devices but no electricity;
      by 2015 a majority in the Middle East and Southeast Asia will live “off-grid, on-net”;
      and, by the end of this year there will be more mobiles on the planet than there are people.

      I don’t own or want to own a cell phone but I acknowledge that legions of users do and that WordPress.com Staff are focused on making this site mobile friendly.

      I just ignore the request for a mobile phone number because the request in no way, shape or form has the power to affect my life, unless I choose to work myself up over it and I don’t. My recommendation is to focus on your blogging rather than waste time and energy sweating the small stuff that doesn’t matter.

      Liked by 2 people

      1. That’s what everyone I know who has one does and I’m LOL at this lengthy off-topic falalalala going on here.:D

        Do you leave your home with your phone and have it with you at all times?

        Do you refuse to read and follow written instructions and demand to “speak to a human being” when dealing with businesses online?

        Do you sleep with your phone?

        If you answer yes to those then the bad news is that you are probably a cellphone addict who may also suffer from nomophobia.

        The good news is that you can control all of that. No electronic gadget can control your life or even affect it, unless you allow it to.

        Liked by 1 person

      1. One day, I realized I never — and I mean really NEVER — voluntarily used my cell phone. And moreover, I didn’t want to be reachable all the time. I cancelled my service. What a relief! $50 a month to spend on something else … and peace reigns when I am not home!

        Liked by 1 person

    2. they aren’t that bad/expensive. I’ve an old banger which I habitually turn off when I don’t want to be available. It does the job (decent calls, texts, weeklong battery life, as it’s not a smart phone) and it’s on pay as you go. I also have an older model smart phone which I only use as a camera/iPod and not for phonecalls ;-) you can use mobiles rather than be used by them.

      Liked by 2 people

      1. Why bother? Really. What purpose does it serve? I use cameras to take pictures. I make my calls from home and anyone who needs to reach me when I’m out can leave a message. My home phone costs me $4.99/month and the price will never go up. For unlimited calls to the entire US, Canada and Mexico. Why do I need a mobile phone? I’m not even especially mobile.

        Liked by 1 person

      2. you have a point, if you don’t need it you don’t.

        Just to stay on topic: I’ve no particular fear of passwords. The list of 25 most used ones was rather funny. Who knew monkey was so popular!

        Liked by 1 person

      3. I am more worried about the security of the servers on which my information is stored than the power of my individual passwords. Hackers target servers that have customer information for large numbers of people. If WordPress (for example) got hacked, the strength of my personal password would be irrelevant. The ONLY time my “stuff” has been compromised is when the servers that store my personal information were hacked. I was merely collateral damage.

        Like

      4. Hey all – this is an interesting subject, but a bit off-topic to this post. Let’s keep comments to the subject of passwords and online security. :)

        If you have strong opinions about mobile phones, please do blog about it!

        Liked by 1 person

    1. Yeah – I considered using a password manager, but then realized if ever it was hacked it’d just be full access. I could understand using it if they vowed super-protection because you ritually sacrifice a cup of coffee, but collecting everything in one place just doesn’t seem safe.

      Has anyone else had a good/bad experience with password managers?

      Liked by 1 person

  2. Wow, I never actually thought to think of passwords like keys, but although it comes of as unusual it makes sense as to why we should view passwords extremely valuable as do many of us do use PayPal ect.

    Liked by 2 people

  3. Thanks so much for posting this article. I don’t know what I’d do if my entire blog was wiped out after all the work I’ve put in. It’s a lot of work to write for one, not to mention 2 blogs, so it would be devastating if anything happened. It seems like a no-brainer to take the necessary steps to safeguard my password(s). Thanks again! Going to eat some broccoli now! :)

    Liked by 1 person

  4. I keep all my passwords listed in the notes section of my phone since I always make them a random mixture of letters and numbers jumbled together and usually I forget them just about as soon as I create them. That being said – sure hope I never lose my phone!

    Liked by 1 person

    1. I recently learned that it’s easier to hack a cell phone than it is a computer. If you’re storing all your passwords on your cell phone, I hope you aren’t being specific… (for example: WordPress – Monkey123; Email: 123Monkey, etc.) If someone wants to target you (very unlikely) you’re handing them the info. Just an FYI.

      Like

    2. I bought an iPod at the local thrift shop the other day. It was an older model, uncharged, and the staff didn’t even know if it worked. So I gave them a few dollars and took it home — WOW! Whoever donated it had EVERYTHING stored on it — bank accounts, passwords, credit card #s, SS#s, every piece of confidential financial info a thief could want! They’re lucky it fell into honest hands — I deleted all those files post haste.

      So be careful when you update your electronics!

      Like

      1. Wow, I can’t believe this person failed to “wipe” their phone before they gave it away. Good thing you were the one who came into possession of it–they could have been in a world of hurt. Whenever I give away/sell an obsolete (for me) computer, cell, etc., I am obsessed with the “backup-wipe-wipe again-run it to make sure it’s wiped ritual. OK, I am on the Spectrum, but I don’t think that accounts for my security-protection obsession.

        Like

  5. Unfortunately, I am all too familiar with the topic of strong passwords. It has taken me 6 years, one desktop, 2 laptops, 2 tablets, 2 cell phones and $300 to Omni Tech to rid my electronics of my computer hacking ex. Strong passwords are a MUST in todays world. We don’t realize how much personal info is stored in our electronics (for example, I use Amazon quite often. So often that my payment info is automatically stored to make checking out easier.) Well, every time I bring a new electronic into my house, they all sync. So, just because I don’t necessarily use my cell phone to order from the site, my info is right there for the taking, should my password be weak. And as troublesome as it is, changing passwords at least once a month is a very good thing to consider. After Omni Tech did a scan on my 2 week old laptop, they were able to tell me that more than one person had been in my computer. That’s very scary when you actually stop and think of all the personal info these strangers had in the palm of their hands… I do hope you all take this post seriously.

    Like

  6. Thank you for such a relevant article, I have never seen it explained so well about having a simple 4 word password rather than a complicated affair that we cannot remember.
    I have always been a bit sceptical about password safes, I love the idea but I am just not sure if I really trust them!

    Liked by 1 person

  7. Thanks so much Elizabeth! I am on vacation next week and will spend some time working on my password management. Will used the tools you suggested. Had no idea a hacker could delete ALL my content! How naive of me. Thanks again for the tips.

    Liked by 1 person

  8. There are clearly pros and cons to each system and surely the problem with a password manager is that if somebody hacks your computer then they have access to everything? I’m not content putting all my eggs in one basket, personally.

    Like

  9. The only problem is that not every site that requires a password allows for long passwords I have a bank that will only let me do a short passoword, and another site doesn’t allow spaces but requires it to be exactly a certain number of characters and two of everything. It makes it really hard to come up with stuff because everyone’s trying to second guess the hackers.

    Liked by 1 person

  10. I didn’t know there was such a thing as a password manager. What a great idea. I’m going to invest some time in using one, because I just can’t remember all our passwords and it can become very confusing. Thanks for this informative post. And I love your sense of humour!

    Liked by 1 person

  11. Excellent advice, except: 1Password is unreliable, and it’s a good thing I have my passwords stored (somewhere) offline, because in its last “upgrade” it lost all my passwords. And: I live part time in the US, and part time in another country (not a unique situation, and many, many, many WP users live in countries other than the US of A, so 2-step authentication is really not an option for us. תודה רבה ויום טוב לכולם!

    Liked by 1 person

  12. Very good. I tend to consider myself very up to date with technical stuff – as it was my “business” in a former life. However, I’m not nearly as diligent on this front as I should be. One thing I’ve started doing though … coming up with some crazy, random letters and numbers … and then in my head, making a silly sentence so I can remember it.

    Liked by 1 person