WordPress Passwords Tip

I wrote this article on one of my blogs recently and have had some good feedback so I thought I would share it with the community here.

You’ve probably heard it a thousand times – strong passwords are the foundation of good security. The problem is that those randomly generated strong passwords are way too hard to remember, right?


One of the major characteristics of a strong password is length. That’s just common sense. For example, if you had to open a lock that had a two digit pin number you are going to get it in no more than 100 tries – because it has to be a number between 00 and 99. If it was an 8 digit pin then it’s going to take a much longer time to try all 100,000,000 combinations.

So now we know that bigger really is better when it comes to passwords. The next question is… how do we make a strong password that is easy to remember, and how do we know how strong it is? Okay, so that’s two questions!

Grammar Is Your Friend

The good news is that strong passwords don’t actually have to be random or difficult to remember. Just a little bit of punctuation will do wonders. In this demonstration I’m going to refer to one of my favourite tools – GRC’s Password Haystacks (we’ll call it GRC for short) – to determine how strong the password is. Whilst the GRC tool isn’t accurate down to the hour, the month or even the century, it will give us a good bit of guidance as to whether our password is going to be difficult for man, woman or machine to guess.

I’m going to start with a simple longish password: slapthemonkey

GRC tells me that it would take about 9.85 months to guess that password on a computer that can do around 100 billion guesses per second. Not too shabby, but if they’re going to guess it I want it to be more of a ‘deep thought‘ scenario where the only people who will find out the answer will be their very distant descendants – in around 7.5 million years or more!

In order to make my password as hard to calculate as the meaning of life, the universe and everything I just need to add some punctuation.

My new ultra strong password is: Slap.The.Monkey

Wasn’t that easy? All I did was put capitals at the start of each word and some dots between them. GRC now tells me that, using the computer that can do around 100 billion guesses per second, it will now take around 2.81 hundred million centuries to guess my password.


So now there’s no excuse for having nasty passwords that are easy to guess. Just use a few words, something inane, fun or even some song lyrics that you will remember easily. Here are some of my favourites – see if you can guess where they came from…

Pocket.Full.Of.Crackers (7.66 hundred billion trillion centuries to guess)

And.I.Liked.It (3.31 million centuries to guess)

Caught.In.A.Landslide (1.06 hundred million trillion centuries to guess)

Hang On Just A Minute!

One of the golden rules of passwords is that you should never use the same password in more than one place. That could be a problem if we weren’t so darn clever. We can make our fun passwords unique and still make them different everywhere AND easy to remember. How about we add the name of the site at the end. For example, if we wanted to use our original password for our Gmail account then it becomes:


So now we have a strong password that is unique for each site we access, virtually impossible to guess and yet easy to remember. The ultra important thing to remember here though is that we never want to tell anyone our ‘base’ password (Slap.The.Monkey) else we’ll give them a very good clue as to what our password is at the various places we log in.

If we wanted to be really clever, we might decide that the last part will always be appended via a + instead of a dot.


I hope you enjoyed this little romp through strong password land – if I can convince just one person to stop using ‘password’ or ’12345′ as a password then my work is done here!

If you would like to find out more about passwords then make sure you stop by GRC’s Password Haystacks and Xato.net as both sites have loads of information about passwords.

  • Mark Wallace
    • Learn-ing-er

    Nice tips teckyhead!

    Personally once a site goes live; i make the Network Admin user name from a generated password, and the password as a generated password, then just copy and past them both.

    But i also keep a 16GB flash drive on me at all times with my websites info on it.

    I may try your suggestions in the future! :slight_smile:

    Thanks teckyhead!

  • Arun Basil Lal
    • New Recruit

    Good one! I have a system that I use, where in each password is based on a formula. All my passwords are quite long too.

    Of course, each site uses a bit different combination and I have my reminders for the important ones. The less important ones are stored in my browser :slight_smile:

    Here is something that happened only yesterday, and something that would make this very relevant. Someone emailed me asking for the login details of an old client of mine. The client isn’t using WordPress anymore and has moved to something else to manage the site, so obviously I didn’t have the login.

    But I was able to figure the password in about 20 minutes, guess what the password was? “password”. How lame is that? lol

    Thanks for the share Gary!

  • teckyhead
    • Design Lord, Child of Thor

    Hi Arun and thanks for the points. I’ve been in the IT business since the early 90’s and I’ve seen a lot of cases where people use really simple passwords. I don’t think I’ve had any using ‘password’ other than with ADSL routers which nearly always default to admin/password (and the owners don’t change them).

    I’ve come across a few using 12345 and a few using letmein. I think that for a lot of people it’s like data backups and anti-virus – they generally don’t see the importance until they have some sort of catastrophe.


Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.