Security: Wordpress Admin/Backend: No Passwordlength is enforced = Big Security Risk

[iamwordimpressed]

Hello,

in the wordpress admin on a profile page (​http://localhost/my/wp-admin/profile.php) when chaning the password, there is no password length enforced! Yes there is a passwordstrength meter. But who of normal users will really take care of it?

Wordpress is more and more used as a Plattform! A lot of "normal" uneducated User will sing up and in (not only educated admins). We have a very big site in the launch and I just shockingly realized this. Every of the user could have set a single character as password. And there will be users that do this.
Or alternativel put a BIG Wwarning with checkbox before installation, that every administrator ist aware of this and can fix this big security hole. I was not and I spent the last 6 month fulltime developing in wordpress! (before even looking for a solution I am writing this ticket).

Please please enforce at least a passwordlength of 6 Characters. Never put the responsibility of security onto the user but put it by design into the application. everyting elese will lead to desasters.

Thanks!

[ericmann]

WordPress doesn't force security in this way. You could hook in and remove all passwords if you wanted to. Or could hook in and replace the default password setup with something like OAuth, LDAP, or ActiveDirectory. Every installation is different, and forcing a minimum (or maximum, or strong, or whatever) password on <em>everyone</em> is a quick way to hurt many end users who may or may not face the same requirements.

Weak passwords are a potential security risk, true. But the onus of enforcing strong passwords is on the site administrator, <em>not</em> on the tool upon which they build a site.

If you need to force long passwords, or strong passwords, or passwords with only alphanumeric characters, or whatever you're entirely welcome to do so. But that's not a use case that fits the majority of end users, so it likely won't be a change rolled into core. As it stands now, that kind of a change might actually prove destructive to the existing user base and do more harm than good.

Instead, I highly recommend you look into existing plugin solutions like Force Strong Passwords (​https://wordpress.org/plugins/force-strong-passwords/) that add an extra layer of security onto your password system if you need it.

Some other systems add two-factor authentication as well. Others force passwords to expire on a sec schedule. The exact security requirements of your site and setup should dictate how you deal with passwords, not the software itself.

[iamwordimpressed]

In my opinion this is a completely wrong way of thinking.

Good software would do it this way:

• A Backend-Option for Admin, that allows some basic configuration of Password-Strength and that is set to a reasonable goot security level by default (security by design). And a very easy way (1 Click) to disable or to configure it to less secure levels. Yes you are right 1% of the wesites need a less secure WP. They then can configure it easyly with these options.

Bad Software does it like this:

• No Security at all and 99% of the Admins even dont know that they have a huge security risk (this is nowhere documented, thats the problem(!!!) Happy Hacking.

Yes thanks for the link, I had googled it before posting. And I had to lough loud: Wordpress is rund on 60.000.000 (?) Websites and the Plugin has 7.000 active installs. Wow, q.e.d.

[chriscct7]

This is plugin territory imo and agreed with comment:1. Closing as invalid