Make WordPress Core

Opened 9 years ago

Last modified 6 years ago

#32979 new enhancement

Password UI: Regenerate PW after clearing field

Reported by: mikehansenme's profile MikeHansenMe Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 4.3
Component: General Keywords: needs-patch
Focuses: Cc:

Description

Based on https://core.trac.wordpress.org/ticket/32589#comment:20.

I think this needs some discussion and focus in it's own ticket.

In the new UI a PW gets generated for you. You have to take an action "Show password" or "Generate new password" to make the field show. Then you can edit that if you would like. At that point you decide you would rather generate one again. There is no clear way to do so.

A few things worth noting

On user profile you can click "Generate new password" again and it will.

On new user you can click "Show password" and it will regenerate a pw again. (This is not great and where the change needs to happen)

Perhaps the easy solution is to change the wording on the button when the field is shown to "Generate new password".

A small issue that can be taken care of at the same time is the "Show password" button shows above the PW field while the "Generate new password" button shows below. The button below looks better.

Change History (10)

#1 @obenland
9 years ago

  • Milestone changed from 4.3 to Future Release
  • Type changed from defect (bug) to enhancement

No movement in a week, let's iterate on this in a future release.

#2 @stuartshields
9 years ago

Hi,

I noticed this as well. It seems confusing that when clicking on the Generate Password button, clicking Show to show the password and then clicking Cancel, and then clicking Generate Password button again (second time), it shows the same password. The button is misleading, it should either be "Show Generated Password" or "Generate Password" and it generates a brand new password. When using Password generators I find that I am clicking "Generate Password" a few times to get one that has possibly not been used before.

#3 @ahortin
9 years ago

I agree. The "Generate Password" button is currently no more useful than the "Show/Hide" password button. It should generate a brand new password each time it's clicked. Either that or remove it and display the password field and the "Show/Hide" buttons all the time.

#4 @menkom
9 years ago

Generate password is missing one vital feature... it doesn't actually generate anything....

Please make clicking the generate password auto regenerate a new random password rather than showing the same password every time. That looks like a massive security risk right there already.

#5 follow-up: @wealthy
9 years ago

Yea I might as well just put my own Password in if I don't like the one you gave me as a choice..
needs to have an option to choose another one
And I hope all the passwords we all get are not the same??
Does it really generate a new one for everyone..??

#6 in reply to: ↑ 5 ; follow-ups: @atomicjack
9 years ago

Replying to wealthy:

Yea I might as well just put my own Password in if I don't like the one you gave me as a choice..
needs to have an option to choose another one
And I hope all the passwords we all get are not the same??
Does it really generate a new one for everyone..??

Someone, somewhere, eventually, would have the same password generated.

But that doesn't really matter - as it is such a small %, that people wouldn't know the username to match the password with as well. It'd go back to bruteforcing, for which, there are many ways to defend against those.

There's no insecurity on that part, but let's be honest, nothing, at all, is completely secure.

Last edited 9 years ago by atomicjack (previous) (diff)

#7 in reply to: ↑ 6 @wealthy
9 years ago

Well might as well not worry then about this eh??
might as well just return it to what it was before..

Replying to atomicjack:

Replying to wealthy:

Yea I might as well just put my own Password in if I don't like the one you gave me as a choice..
needs to have an option to choose another one
And I hope all the passwords we all get are not the same??
Does it really generate a new one for everyone..??

Someone, somewhere, eventually, would have the same password generated.

But that doesn't really matter - as it is such a small %, that people wouldn't know the username to match the password with as well. It'd go back to bruteforcing, for which, there are many ways to defend against those.

There's no insecurity on that part, but let's be honest, nothing, at all, is completely secure.

#8 in reply to: ↑ 6 ; follow-up: @menkom
9 years ago

Replying to atomicjack:

Replying to wealthy:

Yea I might as well just put my own Password in if I don't like the one you gave me as a choice..
needs to have an option to choose another one
And I hope all the passwords we all get are not the same??
Does it really generate a new one for everyone..??

Someone, somewhere, eventually, would have the same password generated.

But that doesn't really matter - as it is such a small %, that people wouldn't know the username to match the password with as well. It'd go back to bruteforcing, for which, there are many ways to defend against those.

There's no insecurity on that part, but let's be honest, nothing, at all, is completely secure.

The chances of generating the same password with that many characters is literally 0.00001%

#9 in reply to: ↑ 8 @atomicjack
9 years ago

Replying to menkom:

Replying to atomicjack:

Replying to wealthy:

Yea I might as well just put my own Password in if I don't like the one you gave me as a choice..
needs to have an option to choose another one
And I hope all the passwords we all get are not the same??
Does it really generate a new one for everyone..??

Someone, somewhere, eventually, would have the same password generated.

But that doesn't really matter - as it is such a small %, that people wouldn't know the username to match the password with as well. It'd go back to bruteforcing, for which, there are many ways to defend against those.

There's no insecurity on that part, but let's be honest, nothing, at all, is completely secure.

The chances of generating the same password with that many characters is literally 0.00001%

That's exactly what I'm saying; it is not at all worth worrying about someone having the same password.

Even if they did, how would a person know to use that exact password on your username? They wouldn't.

#10 @afercia
6 years ago

See also the related ticket #42852 where the proposed patch tries to address some of the pointe mentioned here. Some testing would be great, and any thoughts very welcome.

Note: See TracTickets for help on using tickets.