#28910 closed defect (bug) (invalid)
Password strength meter reporting 'Very Weak' for decent(?) password
Reported by: | philipjohn | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.9.1 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
The password strength meter is reporting 'On3Hydra10!' as "very weak" despite many online password checkers I used seeing it as at least decent. I've verified this happens on vanilla WP.
I checked the password against online password strength meters with the following results;
http://www.passwordmeter.com/ - "100%"
https://www.microsoft.com/en-gb/security/pc-security/password-checker.aspx = "Medium"
https://howsecureismypassword.net/ - "4 thousand years to crack"
https://www.grc.com/haystack.htm = "1.83 years to crack"
http://rumkin.com/tools/password/passchk.php - "Reasonable"
http://password-checker.online-domain-tools.com/ = "69%"
https://www-ssl.intel.com/content/www/us/en/forms/passwordwin.html - "10 months to crack"
http://blog.kaspersky.com/password-check/ - "2 hours to crack"
https://www.my1login.com/content/password-strength-test.php - "weak"
The last two do raise the possibility that WP is right and the other 7 password checkers aren't up to scratch, so this may not be a bug. What makes me question that theory is that omitting the exclamation mark upgrades the status to "weak", which feels wrong.
I.e., WP says;
On3Hydra10! = Very Weak
On3Hydra10 = Weak
WordPress uses zxcvbn to measure password strength, so the best place to report this is directly to them.
I'm not sure there actually is a problem, though. I think most password strength meters are 5+ years behind current cracking technology, and
On3Hydra10!
is weak by todays standards (versus a strong password likeHsqZu247@8,PMA@74&r=}+63({&4w9
). I wouldn't be surprised if the!
at the end is being penalized because it's so predictable.It's extremely common for people to tack on a symbol at the end of a password, and
!
is one of the most commonly used symbols. Hackers know that, and build their cracking tools accordingly. The fact that removing it improved the grade could reveal a lack of nuance in zxcvbn's algorithm, but at the end of the day I wouldn't recommend using either of those passwords.It's much better to use a randomly generated password, along with a password manager to make it convenient.