How to create a secure password

How to create a secure password

A vast majority of security breaches involve compromised passwords. Skilled malicious users use software created specifically to crack them. While it is impossible to eradicate the threat entirely, a strong password makes it drastically more difficult to hack your website.  

A strong, secure password consists of three elements: secrecy, uniqueness, and complexity. The goal is not to "hack-proof" your site or application, but to make it more resistant by significantly increasing the time it takes to guess your password.

Many users only dabble in the security measures outlined below, paying them lip-service until a hacker teaches them a brutal lesson by stealing their data or livelihood. Do not be one of them. 


This sounds obvious and yet a surprising number of security compromises occur when users either voluntarily or involuntarily share their password with a third-party. No reputable service provider in any industry will ask users for their passwords in emails, bulletin boards, over the phone or via other forms of communication. Do not surrender your password to anyone, for any reason.

Some companies will also adopt a policy of requiring their employees to change their passwords monthly. In theory, this increases protection. In practice, however, it weakens it when employees choose simple passwords or write them down to make the frequent changes easier to remember. Frequent password changes can be wise, provided you consistently choose strong passwords and store them only in your head. Do not recycle old passwords or you will the advantage of changing them in the first place.

Finally, if you ever suspect a security leak of any kind, immediately change your passwords.


Involuntary sharing typically occurs when a hacker learns one of your passwords on a less secure site and then uses that same password to access more secure sites. Hackers count on people using one favorite password and perhaps a handful of variants for all of their favorite sites. Your bank's website is harder to crack than your favorite online basket weaving store, so they target the latter, then try that password on your bank's website. 

The simplest and most effective countermeasure is to generate a unique password for each and every application, website, and device in use. If this sounds like a bookkeeping nightmare, weigh it against the potential cost of a hacker gaining full administrative access to your website, and use a password manager to make it much easier to track your passwords. At the very least, we urge you to keep each administrative password unique. Once you generate the password, do not repeat that password anywhere else.


Nearly all hacks involve cracking a weak password, and one common method of guessing your password is a brute force attack. Using specialized software, these attacks make hundreds of millions of random guess per second. The time it takes them to crack a password involves many variables, but the most significant of the three are: 

  • The speed of the hacker's connection

  • The speed of the hacker's computer

  • The complexity of the password

Of these three, you can control one: password complexity. A surprising amount of users rely on default passwords such as "admin," "password1" or some form of their birthday. As you might expect, these passwords are among the first attempted and the attack will succeed almost immediately. The hardest passwords to crack string together unrelated words and sequences of numbers. For example: 

  • always26keyboardpumpkin723baseball

  • 22hazespaghetti641tulip132bathtub

Never use common and ill-advised choices like:

  • Any names related to your partner, children, or pets

  • Your address, places of education, or favorite sports teams

  • Any birthdates relating to you or your family members

  • Any portion of your social security number

  • Any natural sequences of numbers like "1234" or "2468"

The solution: password managers and two-factor authentication

The idea of maintaining 20 or more unique and complex passwords is unpleasant and tends to drive users toward using one password over a host of applications. If maintaining unique, complex passwords for all of your applications sounds difficult, use a password-management application like LastPassDashlane, or 1Password to safely catalog and encrypt your unique passwords in the Cloud under one unique master password. They also offer two-factor authentication, and we strongly recommend this additional security measure. In the event a hacker successfully compromises your password, the hacker still cannot gain access without the second form of authentication. This second form may require a thumb-drive, a fingerprint scanner, or a mobile device.

If you are using Magento, consider using Sentry Two-Factor Authentication, a free open source extension for the popular eCommerce platform. Many popular applications now offer two-factor authentication by a variety of methods, including an app, text, email, or even a phone call. In general, if you have the opportunity to enable two-factor authentication for an app, we strongly recommend doing so.   

Other resources

For help generating a secure password, try the Nexcess Secure Password Generator. This generator instantly creates a random password built to your specifications. It generates two types of passwords: traditional and multi-word. Refer to How to generate a secure password for instructions regarding its use.

If you a Nexcess client and suspect someone has hacked your site, contact the Nexcess Support Team immediately.


For 24-hour assistance any day of the year, contact our Support Team by email or through the Client Portal.

Article Rating (No Votes)
Rate this article
  • Icon PDFExport to PDF
  • Icon MS-WordExport to MS Word
Attachments Attachments
There are no attachments for this article.
Related Articles RSS Feed
How can I prevent my site from being compromised?
Added on Mon, Mar 18, 2019
How to enable SSH access
Added on Mon, Dec 17, 2018
How to view shared secure data in your Client Portal
Added on Wed, Dec 5, 2018
How to reset your SSH password and add SSH keys in SiteWorx
Added on Mon, Dec 17, 2018
How to transfer files to a server with SFTP
Added on Wed, May 23, 2018
How to secure your ExpressionEngine website
Added on Mon, Jan 14, 2019
How to change your Client Portal password
Added on Mon, May 21, 2018
How to create SSH keys in Windows with PuTTY
Added on Wed, Dec 26, 2018
How to secure your WordPress site
Added on Wed, Dec 26, 2018
How to use the Nexcess Secure Password Generator
Added on Tue, Jan 15, 2019