Make WordPress Core

Opened 8 years ago

Closed 7 years ago

#36287 closed defect (bug) (wontfix)

Password strength meter unreliable

Reported by: n13design's profile n13design Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.4.2
Component: General Keywords: close
Focuses: Cc:


I'm using the WooCommerce plugin. I reached out the the plugin developer and they said they use WordPress's meter for password strength.

Following the password hints I've found it difficult to meet the medium strength password. I've not been able to get a 7 character password to pass. Sometimes the meter says the password is medium or strong and then after making the password longer it says it's weak.

One example of a password that was labeled weak is I used a random string of three letters with the first capitalized. Then the @ symbol. Followed by 3 numbers and an exclamation. According to the password tips this should be approved. In a password I had a string of three numbers and for some reason 194 was considered weak but 195 was medium. Then certain random strings of letters weren't approved either. I'm not seeing why these random entries are blacklisted.

Is there a way to adjust the settings for the password strength?

Change History (2)

#1 in reply to: ↑ description @johnbillion
8 years ago

  • Keywords close added

Hi @n13design, welcome to WordPress Trac!

Replying to n13design:

Is there a way to adjust the settings for the password strength?

That would somewhat defeat the entire purpose if what constituted "strong" could be altered. A weak password is still weak even if you change the UI so it tells you it's strong. A seven character password is not considered strong due to its short length.

Note that WordPress' password strength meter uses the zxcvbn library from Dropbox, which is well trusted. You may want to take a read through the announcement post for zxcvbn for more details.

#2 @swissspidy
7 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

For the reasons state before, allowing such adjustments to the password strength meter isn't a good idea.

Note: See TracTickets for help on using tickets.