Your password is the main defense for your online accounts. If someone learns your password, and you have not enabled two-step authentication, they can access your account and modify your website. This guide will help you create strong, unique passwords to keep your account secure.
Using a unique, strong password for every account is the best way to protect your online security. For the highest level of protection, use a password manager to generate and store your passwords. If you prefer, use a random passphrase that is long and memorable. Review your passwords regularly and update any that are weak or reused.
- Use a unique password for every site. If you reuse passwords, a breach on one site can put all your accounts at risk. Always use different passwords for sites that store sensitive or financial information.
- Choose a strong email password. Your email address is often your main identification for online services. If someone gains access to your email, they can reset your passwords and access your accounts.
- Never share your passwords. Even if you trust someone, sharing your password increases the risk of it being intercepted or misused. Change your password immediately if you believe someone else knows it.
- Do not send passwords by email. Emails are rarely encrypted and can be read by attackers. WordPress.com staff will never ask for your password. If you must share a password, use a secure method like pwpush.com and set the link to expire after it is viewed once.
- Avoid saving passwords in your web browser. Browsers may not store passwords securely. Use a password manager instead.
- Do not save passwords or use “Remember Me” on public computers. Others may access your account if you do. Always log out and close your browser when finished.
- Avoid writing down passwords. If someone finds your written password, your account is not secure. Use a password manager to store passwords safely. For unrecoverable passwords, such as your password manager’s master password, store them securely in a safe deposit box or locked safe.
There are two recommended methods: using a password manager or creating a passphrase. Choose the method that works best for you and follow the steps below.
A password manager is an app that creates and stores strong passwords in a secure database. You only need to remember one master password to unlock the manager. The app can fill in your usernames and passwords automatically for websites.
To set up a password manager, follow these steps:
- Select a password manager. Popular options include:
- Install the password manager on your computer or mobile device.
- Install any browser extensions or plugins for your preferred web browser.
- Create a strong master password to secure your password database. See the Passphrase section below for tips.
💡
Write down your master password and store it in a secure location, such as a safe deposit box or locked safe. This ensures you have a backup if you forget it.
Once your password manager is set up, use its password generator to create strong passwords. Set the generator to use 30–50 random characters, including upper and lowercase letters, numbers, and symbols.
Example: N9}>K!A8$6a23jk%sdf23)4Q[uRa~ds{234]sa+f423@.
You do not need to remember or type these passwords-the password manager will handle that for you.
A passphrase is a sequence of random words, such as copy indicate trap bright. Passphrases are longer and easier to remember than traditional passwords, making them more secure.
To create a strong passphrase:
- Choose four random words. You can use a tool like the xkcd Passphrase Generator or make up your own.
- Add spaces between the words if you prefer.
- Optional: Make some letters uppercase, and add numbers or symbols for extra strength.
Example: Copy indicate 48 Trap (#) bright
Passphrases are ideal for your password manager’s master password or your operating system account.
What to avoid:
- Do not use predictable patterns or complete sentences.
- Do not use song lyrics, quotes, or published phrases-attackers have access to large databases of these.
- Do not use personal information, such as names, birthdays, or favorite sports teams.
