When it comes to content management systems (or blogging platforms), WordPress is king. As of April of last year, it powered one out of every six websites on the Internet, or 60 million total. One can only imagine that the company’s dominance has increased since then.
Of course, ubiquity attracts hacks. Earlier this week, a botnet went live that uses brute force to crack WordPress installations. A botnet is a series of computers that run malware. The malware uses the computer’s Internet connection to perform specific activities in concert with the rest of the network, such as sending trillions of password attempts at a site until the correct password is guessed (the brute force tactic).
Fortunately, many hosting providers were quickly alerted to the issue and began blocking the botnet. The United State Computer Emergency Readiness Team (US-CERT) also issued an alert, noting that the attack uses brute force password cracking techniques to target blogs with "admin" as the user name.
This provides the perfect opportunity to remind our readers of two things: never use "admin" as your administrative username (even if it is the suggested default) and ensure that you have a strong password.
What makes a strong password? Out of these two passwords, which do you think is stronger?
Nearly everyone would think the first password was superior, right? It has special characters, after all. Most sites now require a password with capitals, special characters, and a bunch of other irritating characteristics that make you forget your password instantly.
According to Haystack Calculator, the former would only take 5.21 seconds to crack with a massive array of computers. The latter, however, would take 97.49 centuries. The latter is also easier to remember.
Why is that? When it comes to passwords, longer is better. Capital letters and special characters can't hurt, but it's the number of characters that truly makes a password difficult to crack by random password-breaking bots.
This comic (click to enlarge) also quite succinctly explains our long-standing password creation fables:
If you are one of the eighteen percent (or more) of sites on the Internet powered by WordPress, now would be a good time to (a) change your administrative username to something non-generic and (b) to change your password to something more memorable, yet loooooooonger.