It’s Dangerous to Reuse Passwords. Take This!

Jonathan Eyler-Werve

April 13, 2013


At the moment WordPress sites worldwide are under attack by a botnet that is attempting to guess admin passwords. If you admin a WordPress site, please update your password to something over 20 characters and install the Limit Login Attempts and Better WordPress Security plugins.

But this isn’t a WordPress issue. It’s an Internet issue, one that can be defeated by some simple password practices. The attack is a brute force attack trying common passwords, most of which are dictionary terms of 8 characters or less.

So don’t use short passwords.

The best way I’ve come up with to not use short passwords is to stop memorizing passwords.

Instead, use an encrypted password vault with a single master passphrase. My favorite for this is

Passpack is ideal for small teams because it allows secure sharing across teams at the per-password level. So an Adwords account gets shared with the group Marketing, and three other people now have access to only that password. Access can be revoked later (although you’ll want to change the password regardless). Small teams are free forever, bigger teams are totally reasonable (you can admin 15 users for $4 a month).

Once you have that in place, you are now copy/pasting blind chunks of text, which means you can use the “Suggest Password” tool to generate 30 digit random strings, which are effectively unguessable without direct access to the hardware.

Now you only remember one sentence-length passphrase (such as song lyrics + your childhood phone number) and everything else gets a very complex, never reused password. It’s more secure, and it’s also a lot easier than actually remembering all your passwords.

Image: Server room at CERN by Torkild Retvedt (CC by/sa)