{"id":10821302,"date":"2018-10-27T09:57:36","date_gmt":"2018-10-27T09:57:36","guid":{"rendered":"https:\/\/wordpress.org\/support\/?post_type=helphub_article&p=10821302"},"modified":"2023-05-23T14:25:30","modified_gmt":"2023-05-23T14:25:30","slug":"password-best-practices","status":"publish","type":"helphub_article","link":"https:\/\/wordpress.org\/documentation\/article\/password-best-practices\/","title":{"rendered":"Password Best Practices"},"content":{"rendered":"\n
Securing your WordPress starts with a strong password. A strong password is complex and elaborate. It isn\u2019t easy to guess since it doesn\u2019t contain recognizable words, names, dates or numbers. You shouldn’t pick a password containing less than 20 characters. It can be hard though to remember a random string of letters, numbers and special characters. But in general, the more characters and complexity, the better.<\/p>\n\n\n\n
Here are some suggested guidelines when creating a strong password:<\/p>\n\n\n\n
`!\"#$%&'()*+,-.\/:;<=>?@[]^_{}|~``<\/code><\/li>\n<\/ul>\n\n\n\nMore about special characters<\/h2>\n\n\n\n\n- a backslash
\\<\/code> is not allowed<\/li>\n\n\n\n- many typographical characters like elegant quotes, ligatures, letters with accents and mathematical symbols are allowed (by WordPress) in passwords, but not recommended. Some characters are hard to recognize. Many characters are harder or sometimes impossible to type on a device. The characters can not be substituted by simpler version, it has to be exactly that character<\/li>\n\n\n\n
- a space is allowed, but not recommended at the start of a password<\/li>\n<\/ul>\n\n\n\n
Example<\/strong><\/p>\n\n\n\nA good password that upholds all of the guidelines above could be:<\/p>\n\n\n\n
As32!KoP43??@ZkI??L0d<\/code><\/p>\n\n\n\nThings you should absolutely avoid<\/h2>\n\n\n\n
Names or words that can be easily linked to you:<\/p>\n\n\n\n
\n- The name of your partner or kids<\/li>\n\n\n\n
- The name of your pet<\/li>\n\n\n\n
- The name of your company<\/li>\n\n\n\n
- The name of your favorite sports team or car brand<\/li>\n\n\n\n
- The year in which you were born<\/li>\n\n\n\n
- Your birthday<\/li>\n<\/ul>\n\n\n\n
All these items are personal (mostly public) information and thus possible risks for social engineering. So avoid these at all costs!<\/p>\n\n\n\n
Example<\/strong><\/p>\n\n\n\n\n- If your name is John Rogers and you were born in 1976,
JohnRogers1976<\/code> would be a really bad idea for a password.<\/li>\n<\/ul>\n\n\n\nGeneric password elements:<\/p>\n\n\n\n
\n- Number sequences like \u201c123\u201d or \u201c54321\u201d<\/li>\n\n\n\n
- Using generic words like \u201cadmin\u201d, \u201cadministrator\u201d, \u201cpass\u201d, \u201cpassword\u201d, \u201cblue\u201d, \u201chouse\u201d\u2026<\/li>\n<\/ul>\n\n\n\n
These elements are often the first terms that are used by malicious people or software when attempting to brute force your password, so should be avoided!<\/p>\n\n\n\n
Example<\/strong><\/p>\n\n\n\nObviously, the password examples below are horrible passwords and NOT SECURE:<\/p>\n\n\n\n
\n- MattMullenweg2018<\/li>\n\n\n\n
- admin123<\/li>\n\n\n\n
- Password1!<\/li>\n<\/ul>\n\n\n\n
You should also avoid using the same password on multiple sites or accounts.<\/p>\n\n\n\n
Automatically generated passwords in WordPress<\/h2>\n\n\n\n
When you make a new account for your site or reset your password, a password will be suggested for you (or you can use the button “Generate password”). These strong passwords contain 24 characters, numbers, letters, capitals, and special characters.<\/p>\n\n\n\n
Keeping track of your passwords<\/h2>\n\n\n\n
Since complex passwords are a real necessity these days, it can be a real burden to remember every single password. Fortunately, password managers can help users keep track of their different passwords without resorting to using the same password on multiple sites. Password managers act as a vault for your passwords, secured by one (complex) master password. Many also have functionality to automatically (or on your command) enter your stored password for you, via browser extensions or desktop applications. Using a password manager means you only need to remember your one master password to access all of your other passwords.<\/p>\n\n\n\n