Look, we get it. Password advice can feel like being nagged to eat your vegetables. But here's the thing — strong passwords aren't just good practice, they're genuinely the difference between a secure website and one that's vulnerable to attack.
And before you groan about "another impossible string of characters to remember," we promise this isn't that kind of lecture. We're going to show you how to create passwords that are both properly secure and surprisingly memorable.
We've got your back (but we need you to meet us halfway)
At Avoca, we take website security seriously. For all our clients, we:
Use premium WordPress and Statamic hosting with built-in security features
Monitor your site regularly and keep everything updated—WordPress core, themes, plugins, the lot
Use administrator passwords that are 50+ random characters (yes, really)
Maintain multiple backup systems, so there's always a safety net
Keep an eye on suspicious login attempts
But here's the catch: the strongest hosting and most vigilant monitoring can't protect you if your password is "Password123." That's where you come in.
Why hackers love weak passwords (and how they crack them)
These days, automated attacks are just part of the landscape of managing a website. Hackers use what's called a "brute force attack" — basically, they throw thousands (or millions) of username and password combinations at your login page until something works.
Modern attack tools can make billions of guesses per second. Billions. If your password is something like "admin" or "123456" or even "Summer2024!" you're essentially leaving the front door wide open. We have see someone use “Password123” as an Administrator password for their website, and they wondered why their website got hacked - seriously!
Once someone gets into your administrator account, they can install malicious code, redirect your visitors, steal data, or turn your website into a spam factory. Not ideal.
The old password advice doesn't cut it anymore
Remember when we were all told to create passwords like "Tr0ub4dor&3" - take a word, capitalise some letters, swap in some numbers, chuck in a symbol? Turns out that's not nearly as secure as we thought.
That password style has about 28 bits of entropy (that's the measure of how unpredictable something is). At modern cracking speeds, it could be broken in minutes to hours.
Compare that to something like "correct-horse-battery-staple" — four random common words strung together. That has 44 bits of entropy and would take exponentially longer to crack. Years, not hours.
The lesson? Length and randomness beat complexity every time.
Tools that do the hard work for you
If you want a truly random password, there are brilliant tools that'll generate one for you:
1Password — Our top pick. Generates strong passwords, stores them securely, and works across all your devices
Bitwarden — Excellent open-source alternative
xkpasswd — Free online tool for creating memorable random passphrases
These password managers don't just generate passwords, they remember them for you. You only need to remember one master password, and the software handles the rest. Life-changing, honestly.
Or get creative: the memory trick that actually works
Not keen on randomly generated gibberish? Fair enough. Here's a method we love, borrowed from a surprisingly good thriller novel: create a password from a specific memory that only you would know.
The formula is simple: location-what-happened-why-it-matters
Pull from your childhood, a minor mishap, or even something oddly specific that no one else would connect. String together 5–7 words that tell the tiny story. For example:
slipped-broke-leg-helicopter-hospital
grannies-dunny-throw-downs-big-bang
school-camp-kayak-tipped-freezing-lake
waiwera-pools-shallow-dive-egg-head
school-bus-big-rock-broken-axel
These are long, unique, surprisingly hard to guess - and you'll actually remember them because they're tied to real life moments. Even if you've told people the story, they'd never guess your exact word combination.
What we're doing to help
For all new sites we build, we're requiring strong passwords from the start—no more "get me in quickly with something simple." We know it feels like an extra hoop to jump through, but here's the reality: we can have every security measure under the sun in place, and it won't mean much if your password is "Welcome123."
Strong passwords are genuinely one of the most effective (and simplest) ways to protect your website. Think of it this way - we can install the best locks on your front door, but if you leave the key under the mat, we're back to square one.
If you're on one of our legacy WordPress sites and haven't updated your password in a while, now's a great time to do it. (We'll even walk you through setting up a password manager if you'd like - just give us a shout.)
The bottom line
Strong passwords are your website's first line of defence. They're not foolproof - nothing is - but they make you a much harder target. And when hackers are running automated attacks that try millions of sites, "harder target" is often all you need to be.
So take five minutes, generate a proper password (or craft a memorable one), and store it somewhere secure. Your future self, and your website, will thank you.
Need a hand? We're always happy to help you get set up with a password manager or talk through your site's security. Just get in touch.
