← All tips

Get Serious About Password Security

security

I see crazy-weak passwords every day. Otherwise perfectly smart people will pick the weakest passwords for their website admin logins. It baffles me every time. Please do it right. It is easy, I promise.

Brute force attacks are real

A brute force attack is when a computer systematically tries every possible password combination until it finds the right one. In 2008 an 18-year-old hacked into Twitter’s admin panel using a dictionary attack — a variant that tries common words and phrases. The RockYou breach exposed 32 million passwords, revealing that the most common ones were “123456”, “12345”, “123456789”, “password”, and “iloveyou”.

Your website is a target. Automated bots constantly probe WordPress login pages, trying common username/password combinations. A weak password is an open door.

The 5 basics

  1. Use a unique password for every account. If one service gets breached, your other accounts remain safe.
  2. Make passwords long. An 8-character password can be cracked in about a minute. A 12-character password would take roughly two centuries with current technology. Length matters far more than complexity.
  3. Use a password manager. You can’t remember unique, long passwords for every account. You don’t have to. A password manager generates and stores them for you.
  4. Enable two-factor authentication (2FA) wherever possible. Even if your password is compromised, 2FA provides a second barrier.
  5. Never reuse passwords. This bears repeating. One breach should never compromise your entire digital life.

Use a password manager

I recommend 1Password. It generates strong, unique passwords for every site and fills them in automatically. You only need to remember one master password — the one that unlocks the vault.

There are other good options too: Bitwarden (open source, free tier available) and Dashlane. Avoid LastPass — they suffered serious breaches in 2022 that exposed customer vault data. Pick a manager you trust and use it consistently.

Password length matters most

The math is straightforward but it shifts as hardware gets faster. With modern GPUs, a simple 8-character password can be cracked almost instantly. Even 10 characters won’t hold up long against a determined attacker. You want at least 16 characters, or better yet a passphrase — something like “correct-horse-battery-staple” is both easy to remember and extremely hard to crack.

The point isn’t the exact numbers. It’s that every additional character exponentially increases the time required. Length beats complexity every time.

Browser password managers have improved

I used to advise against saving passwords in your browser. That’s changed. Apple’s Passwords app and Google Password Manager now offer real encryption, cross-device sync, and passkey support. If you’re already in the Apple or Google ecosystem, their built-in tools are a solid option — certainly better than reusing “fluffy123” everywhere. A dedicated manager like 1Password still offers more features, but the gap has narrowed considerably.

Passkeys are the future

Passkeys are the most significant improvement in login security in years. Instead of a password, your device generates a unique cryptographic key pair. You authenticate with your fingerprint, face, or device PIN — nothing to type, nothing to remember, nothing to steal. They can’t be phished, they can’t be guessed, and they don’t exist on any server to be breached.

Google, Apple, Microsoft, and most major services now support passkeys. If a site offers them, use them. They are simply better than passwords.

Your website specifically

For WordPress sites:

  • Change the default admin username from “admin” to something unique
  • Use a strong, generated password for your admin account
  • Install a login limiting plugin that blocks IP addresses after failed attempts
  • Keep WordPress, themes, and plugins updated — security patches matter
  • Consider a web application firewall like Sucuri or Wordfence

Your website is your business. Protect it accordingly.