Make WordPress Core

Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#28910 closed defect (bug) (invalid)

Password strength meter reporting 'Very Weak' for decent(?) password

Reported by: philipjohn's profile philipjohn Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.9.1
Component: Security Keywords:
Focuses: Cc:


The password strength meter is reporting 'On3Hydra10!' as "very weak" despite many online password checkers I used seeing it as at least decent. I've verified this happens on vanilla WP.

I checked the password against online password strength meters with the following results; - "100%" = "Medium" - "4 thousand years to crack" = "1.83 years to crack" - "Reasonable" = "69%" - "10 months to crack" - "2 hours to crack" - "weak"

The last two do raise the possibility that WP is right and the other 7 password checkers aren't up to scratch, so this may not be a bug. What makes me question that theory is that omitting the exclamation mark upgrades the status to "weak", which feels wrong.

I.e., WP says;
On3Hydra10! = Very Weak
On3Hydra10 = Weak

Change History (2)

#1 @iandunn
10 years ago

  • Focuses ui removed
  • Resolution set to invalid
  • Status changed from new to closed

WordPress uses zxcvbn to measure password strength, so the best place to report this is directly to them.

I'm not sure there actually is a problem, though. I think most password strength meters are 5+ years behind current cracking technology, and On3Hydra10! is weak by todays standards (versus a strong password like HsqZu247@8,PMA@74&r=}+63({&4w9). I wouldn't be surprised if the ! at the end is being penalized because it's so predictable.

It's extremely common for people to tack on a symbol at the end of a password, and ! is one of the most commonly used symbols. Hackers know that, and build their cracking tools accordingly. The fact that removing it improved the grade could reveal a lack of nuance in zxcvbn's algorithm, but at the end of the day I wouldn't recommend using either of those passwords.

It's much better to use a randomly generated password, along with a password manager to make it convenient.

#2 @helen
10 years ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.