[HelpHub] Content review - Password Best Practices

[estelaris]

Issue Description

Last section recommends popular password managers and the last paragraph indicates that only KeePass is a free solution. Except for 1Password, all the other tools have a free plan.

URL of the Page with the Issue

Password Best Practices

Section of Page with the issue

Keeping track of your passwords

Why is this a problem?

When recommending 3rd party tools we should be objective and truthful

Suggested Fix

Change the paragraph to say something like Most password managers are a paid service, however they may offer a free plan.

[github-actions]

Heads up @femkreations @atachibana - the "user documentation" label was applied to this issue.

[ejpadero]

@zzap @jennimckinnon Please could I try working on this?

[ejpadero]

Original last paragraph:

Most password managers are a paid service, however if you’re looking for a free solution, you’d might want to check out KeePass.

Suggested change:
While most password managers are a paid service, if you're looking for a free solution, some may offer a time-based trial or plan.

===

I hope this helps, @femkreations . Please let me know if any further revision is needed. Thanks!

[zzap]

Related #733

[jaapwiering]

changes

write in second person familiar in English

While I wouldn’t suggest picking a password containing less than 20 characters, I can certainly understand it can be hard to remember a random string of letters, numbers and special characters.

change sentence to

You shouldn't pick a password containing less than 20 characters. It can be hard though to remember a random string of letters, numbers and special characters.

special characters

Containing special characters such as a question or an exclamation mark

change sentence to

Containing special characters such as !"#$%&'()*+,-./:;<=>?@[]^_{}|~`
(so: exclamation, double quote, hash, dollar, percent, ampersand, single quote, paratheses, asterisk, plus, comma, minus, period, slash, colon, semi colon, less, equals, greater, question, at, brackets, caret, underscore, backtick, braces, pipe, tilde)

more about special characters

• a backslash \ is not allowed
• many typographical characters like elegant quotes, ligatures, letters with accents and mathematical symbols are allowed (by WordPress) in passwords, but not recommended. Some characters are hard to recognize. Many characters are harder or sometimes impossible to type on a device. The characters can not be substituted by simpler version, it has to be exactly that character
• a space is allowed, but not recommended at the start of a password

password examples within double quotes

A good password that upholds all of the guidelines above could be “As32!KoP43??@zki??L0d”.

It is not complete clear if the quotes and the period are part of the password, because they are allowed as special characters. I suggest to write this example in code-style (monospaced font) and omit the quotes and period. It could also be helpful to put the password on a line by itself.

password managers

The section Popular password managers [...] check out KeePass.

replace this with

A list of password managers and their features is available on https://en.wikipedia.org/wiki/List_of_password_managers. Most browsers can store and synchronize your accounts and passwords.

additions

suggested password

When you make a new account for your site a password will be suggested or you can use the button "Generate password". These strong passwords contain 24 characters, numbers, letters, capitals, and special characters.

optional

user names

Should something be said about user names? "Admin" should not be used, but it not hard to discover a list of all the user names.

two factor authentication

This is a great way to make access more secure, but requires third-party plugins. Look for plugins in the plugins directory with tags like "2FA", "two factor authentication", "two step".

[jomarieminney]

Suggested updated article, combining suggestions from @jaapwiering and @mujuonly ( #733 ) and a couple of my own tweaks to improve readability... my first time so please be gentle 😆

Password Best Practices

Securing your WordPress starts with a strong password. A strong password is complex and elaborate. It isn’t easy to guess since it doesn’t contain recognizable words, names, dates or numbers. You shouldn't pick a password containing less than 20 characters. It can be hard though to remember a random string of letters, numbers and special characters. But in general, the more characters and complexity, the better.

Here are some suggested guidelines when creating a strong password:

• At least 20 characters (preferably more)
• Use lowercase and uppercase
• Containing numbers
• Containing special characters such as `!"#$%&'()*+,-./:;<=>?@[]^_{}|~``

More about special characters

• a backslash \ is not allowed
• many typographical characters like elegant quotes, ligatures, letters with accents and mathematical symbols are allowed (by WordPress) in passwords, but not recommended. Some characters are hard to recognize. Many characters are harder or sometimes impossible to type on a device. The characters can not be substituted by simpler version, it has to be exactly that character
• a space is allowed, but not recommended at the start of a password

Example

A good password that upholds all of the guidelines above could be As32!KoP43??@ZkI??L0d

Things you should absolutely avoid

Names or words that can be easily linked to you:

• The name of your partner or kids
• The name of your pet
• The name of your company
• The name of your favorite sports team or car brand
• The year in which you were born
• Your birthday

All these items are personal (mostly public) information and thus possible risks for social engineering. So avoid these at all costs!

Example

• If your name is John Rogers and you were born in 1976, JohnRogers1976 would be a really bad idea for a password.

Generic password elements:

• Number sequences like “123” or “54321”
• Using generic words like “admin”, “administrator”, “pass”, “password”, “blue”, “house”…

These elements are often the first terms that are used by malicious people or software when attempting to brute force your password, so should be avoided!

Example

Obviously, the password examples below are horrible passwords and NOT SECURE:

• MattMullenweg2018
• admin123
• Password1!

You should also avoid using the same password on multiple sites or accounts.

Automatically generated passwords in WordPress

When you make a new account for your site or reset your password, a password will be suggested for you (or you can use the button "Generate password"). These strong passwords contain 24 characters, numbers, letters, capitals, and special characters.

Keeping track of your passwords

Since complex passwords are a real necessity these days, it can be a real burden to remember every single password. Fortunately, password managers can help users keep track of their different passwords without resorting to using the same password on multiple sites. Password managers act as a vault for your passwords, secured by one (complex) master password. Many also have functionality to automatically (or on your command) enter your stored password for you, via browser extensions or desktop applications. Using a password manager means you only need to remember your one master password to access all of your other passwords.

A list of password managers and their features is available on https://en.wikipedia.org/wiki/List_of_password_managers. Most browsers can store and synchronize your accounts and passwords.

Other security recommendations

Two factor authentication

Another great way to keep your WordPress acess more secure is to set up two factor authentication (2FA). Currently, this requires installation of a third-party plugin. To set up 2FA look for plugins in the plugins directory with tags like "2FA", "two factor authentication", or "two step".

Usernames

A common method of brute force hacking is to use a “dictionary” of common username and password combinations. For this reason, it is often recommended to avoid common usernames such as “admin”.

[jomarieminney]

This can be closed - updated :)