# Safe passwords

> Your account is only as secure as your weakest password. This guide explains what makes a password strong, how to use a password manager, and how to add two-factor authentication to keep your hosting account safe.

Source: https://www.kualo.com/knowledgebase/getting-started/safe-passwords
Updated: 2026-06-05

---

Your account is only as secure as your weakest password. The stronger and more unique it is, the less chance there is of your account being compromised.

For a hosting account in particular, the stakes are high. A compromised cPanel password can give an attacker access to your files, databases, email accounts, and any websites you run. Taking a few minutes to improve your passwords now can prevent a serious and time-consuming recovery later.

Bots constantly scan the internet trying common passwords against domains and IP addresses. Passwords like `password` or `john123` can be cracked almost instantly. And if you use the same password in more than one place, a single breach anywhere can unlock every account you own.

## What makes a bad password

- It uses dictionary words.
- It is shorter than 12 characters.
- It contains no numbers or symbols.
- It is reused across more than one account or service.

If any of that sounds like your current password, change it now.

## The danger of reusing passwords

Password reuse is one of the most common causes of account takeovers. When a website is breached, attackers dump the stolen credentials and immediately try them against other services - email providers, hosting control panels, banks, and more. This is called credential stuffing, and it works because most people reuse passwords.

Even a strong password gives you no protection if it has been exposed in a breach elsewhere. Using a unique password for every account is not optional - it is essential.

:::warning
If you reuse your Kualo or cPanel password anywhere else, change it now and make the new one unique.
:::

## Use a password manager

The most effective way to have strong, unique passwords for every account is to use a password manager. A password manager generates long, random passwords for you, stores them securely, and fills them in automatically. You only need to remember one strong master password.

Reputable password managers include:

- [Bitwarden](https://bitwarden.com) - open source, free tier available, cross-platform
- [1Password](https://1password.com) - well regarded, strong family and team plans
- [Dashlane](https://dashlane.com) - good usability, built-in breach monitoring
- [KeePassXC](https://keepassxc.org) - open source, stores your vault locally rather than in the cloud

Most password managers also handle two-factor authentication (see below), so you can manage both your passwords and your 2FA codes in one place.

:::tip
Bitwarden and KeePassXC are both free and open source. If cost is a concern, either is an excellent starting point.
:::

## Creating a strong password without a password manager

If you are not ready to use a password manager, you still need passwords that are long, complex, and unique. Here are two approaches.

### The passphrase method

A passphrase is a sequence of random words strung together. It is long enough to be secure but easier to remember than a string of random characters.

For example:

```
correct-horse-battery-staple
```

Four or more random words give you a password that is very long and very hard to brute-force. Add a number or symbol to satisfy any site requirements:

```
correct-horse-battery-staple7!
```

The key word here is *random* - do not use words that relate to you personally, such as your name, town, or favourite team, as those can be guessed.

### The substitution method

If you prefer something shorter, take a phrase you know well and transform it using letter-to-symbol substitutions.

For example, starting from a phrase like "New York Yankees 1974":

```
Y@nk33$1974!
```

That is 12 characters, uses upper and lowercase letters, symbols, and numbers. Swapping `a` for `@`, `e` for `3`, and `s` for `$` makes it far harder for a cracking script to guess.

:::warning
Even with a strong password created this way, you must use a different one for every account. Writing them down in a notebook kept somewhere secure is better than reusing them, but a password manager is a much safer long-term solution.
:::

## Enable two-factor authentication

Two-factor authentication (2FA) adds a second layer of protection on top of your password. Even if someone obtains your password, they cannot log in without also having access to your second factor - typically a time-based code from an app on your phone.

If you have a less complex password but 2FA is enabled, your account is still significantly more protected than it would be with a strong password alone and no 2FA. Ideally, use both: a strong unique password *and* 2FA.

Common 2FA apps include:

- [Aegis](https://getaegis.app) (Android, open source)
- [Raivo](https://raivo-otp.com) (iOS, open source)
- [Authy](https://authy.com) (Android and iOS, multi-device sync)

As noted above, most password managers can also generate and store 2FA codes, so you may not need a separate app at all.

Where Kualo services offer 2FA - including cPanel - you should enable it. Check the knowledgebase for guides on enabling 2FA for your specific services.

## Check whether your details have already been exposed

Even if you follow all the advice above going forward, your email address or passwords may already have appeared in a past data breach from another service. You can check for free at [Have I Been Pwned](https://haveibeenpwned.com). Enter your email address and the site will tell you whether it has appeared in any known breach, and which service was involved.

If your email address appears in a breach, check whether you used the same password for your Kualo account or cPanel. If you did, change it immediately.

:::tip
Have I Been Pwned is run by a well-known security researcher and is safe to use. It does not store or misuse the addresses you search for.
:::

## If you think your account has already been compromised

If you suspect your Kualo account or cPanel has been accessed without your permission, act quickly:

1. Change your Kualo account password and your cPanel password immediately.
2. Enable 2FA on both if you have not already done so.
3. Check your cPanel email accounts for any forwarders or filters you did not set up.
4. Review your files for anything unfamiliar - Imunify360 and Patchman, which are active on your hosting account, can help identify malicious files.
5. Contact Kualo support so we can check for any suspicious activity on your account.

## Quick checklist

- Use a unique password for every account.
- Use a password manager to generate and store them.
- Make passwords at least 12 characters long.
- Enable 2FA wherever it is available.
- Check whether your email address has appeared in a known breach at [Have I Been Pwned](https://haveibeenpwned.com).


---

_Source: Kualo Knowledgebase — https://www.kualo.com/knowledgebase/getting-started/safe-passwords · © Kualo Ltd._