How to choose a secure password for WordPress

Last Updated on: 26th April 2022, 12:50 pm

Understanding the WordPress password system

WordPress makes use of the zxcvbn code to estimate whether a chosen password is strong or not. The code is courtesy of Dropbox and hosted here on Github. Dropbox published a very nice blog post in 2012 explaining its concept. My following explanations are based on its content which were eye opening to me. I encourage you to give it a read, if you are interested in the subject.

The author also provides a test tool that you can use to gauge password strength in a very informative manner. Additionally I needed to familiarise myself with the term Entropy which I did via Wikipedia here (Entropy in computing) and here (Entropy in Information Theory).

How passwords are hacked

Unless you are worth their time, no hacker will attack you personally. Almost every attempt at your credentials is executed by a machine. A computer uses sources like dictionaries and precomputed tables, for example the famous Rainbow table, to simply guess your password.

A machine has infinite patience and will keep trying all possible variations until it finds a match. How long this will take depends on your set password and the computer’s resources.

Entering your password into the zxcvbn test tool gives you an overview of the amount of time and attempts a machine requires to guess your password right.

What is a secure password

I will not explain how a passwords structure is deemed secure exactly (you can learn about this using the links above), but instead recommend you follow these rules to create one:

  • Minimum length: 14 characters
  • Minimum amount of symbols: 1
  • Minimum amount of capital letters: 1
  • Minimum amount of numbers: 1

In conclusion this is a very secure password:


and this is is pretty weak:


This is what surprised me the most, when I learned about password strength determination. I thought that more symbols, more capital letters and less readability make a difference, when in fact they don’t matter at all. What matters is length and minimum amount. And readability is of less importance, but minimum length is very important.

How to create your own password system

Many people struggle with password creation and management. I personally use a password manager that creates very long and cryptic passwords for me. There is only a handful of passwords that I know by heart and currently the majority of my passwords I have never seen or written. However I am trying to change this and here is how.

In order for a password to work for you in needs to be two things. Secure and easy to recall. For it to be easy to recall you need to be able to (re)construct the password on the fly. You can do this by creating your own password logic using a fixed and variable key.

The fixed key makes your password secure and is something you can easily remember. It should fulfil all above rules, but does not need to meet the minimum length requirement alone.

Here is an example :


The variable key is something that is always available to you when you need to enter the password and it makes the password unique to the subject (Do not use the same password twice).

For example:

The website URL address.

So if you were to create a username for this blog your password structure would be:

  • fixed key:  sUperword=
  • variable key:
  • final password:

While this password is already quite secure, this kind of fixed key is readily available to everyone. In order to make it available only to you you need to apply a rule that modifies the fixed key effectively.

For example:

The website URL address. But always without the first 2 vowels.

This modifies the fixed key in a way that is only accessible to you. Your password structure now:

  • fixed key:  sUperword=
  • variable key:
  • final password:

This creates a password for you, that is both secure and easy to recall. Once you have created your own password system, test it out a few times to be sure its consistently applicable for your use cases. I hope this helps you to be on better terms with your own secure password policy.


Leave a Reply

Your email address will not be published. Required fields are marked *

Con Schneider