People realize that passwords are important, but many don’t fully understand the importance of strong passwords and what a “strong password” is. Hopefully this article will help define what a strong password is and why you need it.
A common threat that anyone with online logins face is a password guessing attack known as a brute-force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until it discovers the one correct combination. If your WordPress website uses /login, /wp-login.php or /wp-admin you are a good target for a brute-force attack. This article focuses on the importance of strong passwords in regards to your WordPress website however this article applies just as much to your other online accounts. Other vital online accounts such as banking, logins to utility companies for Bill Pay, online stores, etc should stick to these guidelines as well.
A study that tested state-of-the-art password guessing techniques found that requiring numbers and uppercase characters in passwords didn’t do much to make them stronger. Making a password longer and including symbols was much more effective in protecting against brute force attacks.
- Passwords should have 12 Characters, Minimum: You need to choose a password that’s long enough. There really isn’t a minimum password length that everyone agrees on, but you should generally go for passwords that are a minimum of 12 to 14 characters in length. A longer password would be even better.
- Includes Numbers, Capital Letters, Lower-Case Letters, and Symbols: It’s important to use a mix of different types of characters to make the password harder to crack.
- Try to Stay Away from Dictionary Words or Combination of Dictionary Words: Stay away from obvious dictionary words and combinations of them. Any word on its own is bad. Any combination of a few words, especially if they’re obvious, is also bad. For example, “school” is a terrible password. “blueSchool” is slightly less bad, but still very bad.
- Doesn’t Use Obvious Character Substitutions: Don’t use common substitutions— for example, “5chool” isn’t strong just because you’ve replaced an S with a 5.
- Don’t Use the Same Password On Multiple Sites: You should never use the same password for your website, online banking and online stores. If one site is hacked they could essentially have your login to all your accounts, which may be easy to figure out. In the last year there have been several reports on the news of several high profile sites getting hacked. In many of these hacks, the site’s customer account information was compromised which included their passwords. The following section will deal with how to remember all of these different passwords.
Now that you have a solid 14 character password, how are you going to remember it?
There is one great program that has made it very easy to keep numerous secure passwords, the program is LastPass. We have used LastPass for years to synchronize our password databases between the different devices we use – work PC, home PC, iPads, iPhones, etc. You could store all of that password data locally, but LastPass allows us to store a local copy of our password data on each device and maintain a master copy in the cloud that keeps all of those local copies up to date.
Below are some features of LastPass:
- Availability Everywhere – When storing passwords, convenient and reliable access is critical. LastPass ensures passwords are securely available when and where they’re needed.
- Secure Account Creation – Users create an account with an email address and a strong master password to locally-generate their unique encryption key.
- Local-Only Encryption – User data is encrypted and decrypted at the device level. Data stored in the vault is kept secret, even from LastPass.
- Two-Factor Authentication – Two-factor (multifactor) authentication adds extra security to LastPass accounts by requiring a second login step before authorizing the user.
- Leading Encryption Algorithms – We’ve implemented AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes to ensure complete security in the cloud.
- Private Master Password – The user’s master password, and the keys used to encrypt and decrypt user data, are never sent to LastPass’ servers, and are never accessible by LastPass.
