Index: src/wp-admin/includes/user.php =================================================================== --- src/wp-admin/includes/user.php (revision 25158) +++ src/wp-admin/includes/user.php (working copy) @@ -370,3 +370,64 @@ printf( '' . __('No thanks, do not remind me again') . '', '?default_password_nag=0' ); echo '

'; } + +/** + * Creates an array of values that would lower the entropy of a password, and should be lower the score if used + * + * @return array + */ +function zxcvbn_user_input_blacklist() { + global $current_user; + $strip_chars = array( ' ', '.', '-', ',', '@', 'http://', 'https://', '/' ); // @todo actually, strip out anything that's not [azAZ], and then http(s) ? + + // Generic + $blacklist = array( 'WordPress', 'wp', 'blog' ); + + // Current user + $blacklist = array_merge( $blacklist, array( + $current_user->data->user_login, + $current_user->data->user_nicename, // if dupe it'll be removed at end + str_replace( $strip_chars, ' ', $current_user->data->user_email ), + str_replace( $strip_chars, ' ', $current_user->data->user_url ), + get_user_meta( $current_user->data->ID, 'first_name', true ), + get_user_meta( $current_user->data->ID, 'last_name', true ), + get_user_meta( $current_user->data->ID, 'description', true ), + ) ); + + // The user currently being edited + if ( 'user-edit.php' == basename( $_SERVER['SCRIPT_NAME'] ) && isset( $_GET['user_id'] ) ) { + $user_being_edited = get_userdata( (int) $_GET['user_id'] ); + + if ( $user_being_edited ) { + $blacklist = array_merge( $blacklist, array( + $user_being_edited->data->user_login, + $user_being_edited->data->user_nicename, + str_replace( $strip_chars, ' ', $user_being_edited->data->user_email ), + str_replace( $strip_chars, ' ', $user_being_edited->data->user_url ), + get_user_meta( $user_being_edited->data->ID, 'first_name', true ), + get_user_meta( $user_being_edited->data->ID, 'last_name', true ), + get_user_meta( $user_being_edited->data->ID, 'description', true ), + ) ); + } + } + + // Current site + $blacklist[] = str_replace( $strip_chars, ' ', home_url() ); + $blacklist[] = str_replace( $strip_chars, ' ', get_bloginfo( 'name' ) ); + $blacklist[] = str_replace( $strip_chars, ' ', get_bloginfo( 'description' ) ); + $blacklist[] = str_replace( $strip_chars, ' ', get_bloginfo( 'admin_email' ) ); + + // Clean up the results + $blacklist_exploded = array(); + foreach ( $blacklist as $value ) { + $blacklist_exploded = array_merge( $blacklist_exploded, explode( ' ', strtolower( $value ) ) ); + } + $blacklist = $blacklist_exploded; + + // todo remove any words that aren't at least 4 chars, otherwise things like "i", "a", "and", etc will hit lots of stuff + + $blacklist = array_unique( $blacklist ); + $blacklist = array_filter( $blacklist, 'strlen' ); // removes empty and null values + + return apply_filters( 'zxcvbn_user_input_blacklist', $blacklist ); +} \ No newline at end of file Index: src/wp-admin/js/password-strength-meter.js =================================================================== --- src/wp-admin/js/password-strength-meter.js (revision 25158) +++ src/wp-admin/js/password-strength-meter.js (working copy) @@ -1,6 +1,13 @@ -function passwordStrength(password1, username, password2) { +/** + * Validate a user's new password + * + * @param string password1 The password + * @param string username The username. Deprecated in favor of _zxcvbnSettings.userInputBlacklist + * @param string password2 The confirmed password + */ +function passwordStrength( password1, username, password2 ) { if (password1 != password2 && password2.length > 0) return 5; - var result = zxcvbn( password1, [ username ] ); + var result = zxcvbn( password1, _zxcvbnSettings.userInputBlacklist ); return result.score; } Index: src/wp-admin/js/user-profile.js =================================================================== --- src/wp-admin/js/user-profile.js (revision 25158) +++ src/wp-admin/js/user-profile.js (working copy) @@ -9,7 +9,7 @@ return; } - strength = passwordStrength(pass1, user, pass2); + strength = passwordStrength( pass1, '', pass2 ); switch ( strength ) { case 2: Index: src/wp-includes/script-loader.php =================================================================== --- src/wp-includes/script-loader.php (revision 25158) +++ src/wp-includes/script-loader.php (working copy) @@ -312,6 +312,7 @@ $scripts->add( 'zxcvbn-async', "/wp-includes/js/zxcvbn-async$suffix.js", array(), '1.0' ); did_action( 'init' ) && $scripts->localize( 'zxcvbn-async', '_zxcvbnSettings', array( 'src' => includes_url( '/js/zxcvbn.min.js' ), + 'userInputBlacklist' => zxcvbn_user_input_blacklist(), ) ); $scripts->add( 'password-strength-meter', "/wp-admin/js/password-strength-meter$suffix.js", array( 'jquery', 'zxcvbn-async' ), false, 1 );