Good security is the most important aspect of your website, and the most common way that hackers break into sites is by guessing passwords. In this article, we'll look at what makes a good password and how to choose one.
How to choose a good password
The basic idea behind a password is that it's something that you know that no-one else does. A good basic minimum for a password is at least eight characters, with at least one digit and one punctuation mark. If you want to choose a really good password:
- use numbers, symbols, upper and lowercase letters
- make it at least 12 characters long
- don't use words you'd find in a dictionary, letter or number sequences (e.g. abc123), or names of pets, friends or relatives
If you need to make a new password, a good way is to use a random password generator website like Random.org
Good password practice
Really we should all have different passwords for every login. That way, in the (not unprecedented) event that one site is hacked, the hackers will only have your login details to that site, not everything you've ever signed up to. (Hopefully, even if one of your logins is stolen, the password will be encrypted anyway. All our CMS passwords are stored encrypted.)
As a minimum, have different passwords for your most important accounts.
If you need to write down your passwords, that's not necessarily a problem. It's much more likely that someone is going to steal your password online than break into your house and steal your little black book of passwords.
However this isn't a very practical solution. Once you've got a number of complicated passwords it's much better to store them in an online password repository like Last Pass or Passpack. That way you can access your passwords wherever you are, and even better you can cut and paste them into login forms - awkward random passwords are tricky to type in.
A word of warning: if you use an online repository make sure you have regular backups and a way to unpack them offline, just in case your password repository is ever unavailable for any reason.
Reset your password
It's good practice to change your password every now and again.
If you ever get a notification that one of the websites you log in to has suffered a data breach, or you get emails telling you that someone is trying to reset your account password, it's a good idea to change it straight away.
Don't forget to update your password book or repository when you change a password.
Are my passwords safe?
It's not unlikely one of your passwords has already been hacked. To find out, go to Have I been pwned?, a website that keeps a record of data breaches. Enter your email address and you'll discover whether the password you use for any of the websites has been hacked.
For example one of Mat's email addresses was included in the 2013 Adobe hack which included data on 153 million accounts and the 2012 Dropbox hack which included 60 million account logins. He now uses a different password for every single website.
Top 20 most common passwords
Below is a list of the most common twenty passwords in 2016 according to Wikipedia.
- 123456
- password
- 12345
- 12345678
- football
- qwerty
- 1234567890
- 1234567
- princess
- 1234
- login
- welcome
- solo
- abc123
- admin
- 121212
- flower
- passw0rd
- dragon
- sunshine
Needless to say that if any of your passwords are on this list you should change them immediately!
Some of them are more obvious than others, but they are all classic examples of a weak password.
Read more tips on how to avoid getting hacked (or what to do if you have been hacked).