Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#28910 closed defect (bug) (invalid)

Password strength meter reporting 'Very Weak' for decent(?) password

Reported by: philipjohn Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.9.1
Component: Security Keywords:
Focuses: Cc:


The password strength meter is reporting 'On3Hydra10!' as "very weak" despite many online password checkers I used seeing it as at least decent. I've verified this happens on vanilla WP.

I checked the password against online password strength meters with the following results;
http://www.passwordmeter.com/ - "100%"
https://www.microsoft.com/en-gb/security/pc-security/password-checker.aspx = "Medium"
https://howsecureismypassword.net/ - "4 thousand years to crack"
https://www.grc.com/haystack.htm = "1.83 years to crack"
http://rumkin.com/tools/password/passchk.php - "Reasonable"
http://password-checker.online-domain-tools.com/ = "69%"
https://www-ssl.intel.com/content/www/us/en/forms/passwordwin.html - "10 months to crack"
http://blog.kaspersky.com/password-check/ - "2 hours to crack"
https://www.my1login.com/content/password-strength-test.php - "weak"

The last two do raise the possibility that WP is right and the other 7 password checkers aren't up to scratch, so this may not be a bug. What makes me question that theory is that omitting the exclamation mark upgrades the status to "weak", which feels wrong.

I.e., WP says;
On3Hydra10! = Very Weak
On3Hydra10 = Weak

Change History (2)

#1 @iandunn
7 years ago

  • Focuses ui removed
  • Resolution set to invalid
  • Status changed from new to closed

WordPress uses zxcvbn to measure password strength, so the best place to report this is directly to them.

I'm not sure there actually is a problem, though. I think most password strength meters are 5+ years behind current cracking technology, and On3Hydra10! is weak by todays standards (versus a strong password like HsqZu247@8,PMA@74&r=}+63({&4w9). I wouldn't be surprised if the ! at the end is being penalized because it's so predictable.

It's extremely common for people to tack on a symbol at the end of a password, and ! is one of the most commonly used symbols. Hackers know that, and build their cracking tools accordingly. The fact that removing it improved the grade could reveal a lack of nuance in zxcvbn's algorithm, but at the end of the day I wouldn't recommend using either of those passwords.

It's much better to use a randomly generated password, along with a password manager to make it convenient.

#2 @helen
7 years ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.