Information about password creation and usage, supplementing the article at:

• Website security: what to do after your site is hacked, and how to prevent it.

Website passwords: Best practices

1) Always use strong passwords

A password MUST NOT be a single word that is in any human language dictionary, and it's best if it does not even contain any real word in any language. It should be completely meaningless random characters, and at least 8 characters long. Some people use 20.

If you've never seen a strong password before, go to GRC's Ultra High Security Password Generator. The third row on that page ("63 random alpha-numeric characters") contains the types of characters to use for cPanel passwords. Pick however many consecutive characters you need from that row.

• If you create your own passwords, use a random mixture of upper and lower case letters, and digits. Special characters (punctuation, etc.) do not seem to be allowed by cPanel.
• Do not use "clever" leet-speak variations of your name, your website's name, your spouse's name, your pet's name, your favorite sport, song, musical band, or any other real words. No matter how you do it, basing a password on real words or their variations makes it less secure than it should be.
• In some old versions of cPanel, only 8 characters are significant. In that case use all 8. 8 is barely enough. Use more if it's allowed.

The #1 threat to your website is internet attackers. There are thousands of them, and they will definitely try to damage your website if they get in. That is why you MUST use strong passwords that are nearly impossible to discover. The strength of a password must be the FIRST consideration, top priority.

Now write down your strong password so you don't forget it. People sometimes avoid strong passwords because they've heard passwords should never be written down. That rule was for Defense Department workers who had to worry about Soviet spies rummaging through their desks. You don't. You have to worry about internet hackers. They cannot ransack your desk, but they are very, very good at cracking bad passwords!

• Writing down your strong password is only a trivial security risk.
• Using a weak password because that's the only kind you can remember is a huge security risk.

Keep your written passwords however safe your particular situation requires. Think about it. If you have mischievous children, don't leave passwords lying around where they can find them. If you have malevolent coworkers, don't leave passwords in your desk drawers at work. Do you habitually lose your wallet or purse? Well then, don't keep them there, either. Take whatever precautions are necessary for YOUR situation.

If your environment really does have dangerous spies (not necessarily of the KGB, CIA, or MI6 variety), you can probably write your passwords down in such a way that no one who finds them will know what they are. Make them the first letters of a grocery list, or a personal letter or memo. And if you have a password that you must carry into insecure environments, you probably don't need to remind yourself which account it's for, so don't write that part down.

There is more information about strong passwords at Wikipedia.

A Wired article, Secure Passwords Keep You Safer, describes how an intelligently designed dictionary attack shortens the time it takes to guess a password, by guessing the most common first and only doing random guessing as a last resort. It's these automated dictionary attacks you have to outsmart, not some 14 year old wannabe on a home PC. It also links to an article about the psychology of password creation. Whatever data is known about real passwords created by real people is used in the design of dictionary attacks.

a) Keep your UserID secret, too.

Your UserID is the other piece of information someone needs to log in as you. Keep it as secret as possible, too, and don't post it in forum messages, as some people do.

2) Use a different password for every purpose

The passwords you use for cPanel, FTP (if possible), password protection of individual folders, database connections, each of your email accounts, and your helpdesk login at your webhost should all be different. Never use a password in more than one login location. This is because:

1. Hackers test a cracked password from one location (such as an email account) to see if it will also work elsewhere (such as cPanel, FTP, and even your bank's website, if they know it). This is because so many people use a single password in multiple places. If you use different ones, someone who obtains one of the passwords will still be locked out of the other areas.
    
2. Not all your passwords are stored in equally secure locations and formats. Some of them are easier to obtain than others. Your cPanel password, for example, is normally very secure. It is not even stored in your website files. But what if you also use it for your database connections? In that case, it is exposed in plain text in your PHP scripts. Email account passwords are also stored in website files. They are encrypted, but someone who gets the files may find it easy to decrypt them offline where the process is much faster. If you use the same password everywhere, it is only as secure as its least secure storage location. 

Links

• There is even more about password security and how to create strong ones manually at Microsoft's Strong passwords: How to create and use them.

Questions, comments, and suggestions are welcome in the discussion forum.