WordPress has improved its approach to password security and strong passwords are generated by default.
To change an existing password, from the main dashboard menu select Users > Your Profile, scroll down to the Account Management section. WordPress will automatically generate a strong password after clicking the Generate Password button. Type in your own password and the strength meter will inform you if the password you are setting is strong or weak. If the password is weak, you have to check a box to confirm the use of a weak password. You also have the option to hide the password from prying eyes. Click the Update Profile button to save changes.
WordPress will no longer send passwords via email. For example if you click on ‘Lost your password?’ you will instead receive a password reset link, with a 24-hour expiry window. Once clicked the password reset link will pre-populate the new password window with a strong password (which you can still alter) and a Reset Password button to confirm.
Whenever a password or email address is amended, an email alert is sent to you. Therefore if the browser session is hijacked and the email or password are changed, you will be notified that it happened and can quickly take action.