'Password Lost/Changed' emails should give indication of the strength of the new password

[lovingboth]

When any user changes their password, the site's owner gets an email that currently just says:

"Password Lost and Changed for user: [username]"

It would help administrators if the email also included WordPress's assessment of the strength of the new one. I don't always agree with that assessment, but it is better than saying nothing.

As it is, there's no way to know if the user has just picked an extremely weak password and thanks to the repeated user privilege escalation exploit issues, even low level users with weak passwords can put the whole site at risk.

[johnbillion]

I quite like this idea.

[iandunn]

Is email a secure medium for transmitting that information? My impression is that SSL isn't ubiquitous yet, so in some cases we'd basically be telling attackers, "Hey, look! This user has a weak password." That impression could be outdated, though.

Perhaps the benefits of informing admins would outweigh the potential for leaking that info? If so, maybe it'd help to include a link in the email so that admins can reset weak passwords to strong ones with a single click.

[lovingboth]

"I quite like this idea."

Me too :)

"Is email a secure medium for transmitting that information?"

If your site's email is compromised / being sniffed by an attacker, you're already stuffed because typically the user's login reset details have just been emailed. (If all of your email is compromised, you're even more stuffed!)

Plus emailing the current message already says 'here's a username and they've just changed their password.. so it's quite possibly not very good - get brute forcing it!' (Especially as there's no brute force protection in WordPress without installing a plugin or doing something at the server level.)

"maybe it'd help to include a link in the email so that admins can reset weak passwords to strong ones with a single click"

It would be a useful addition, if it doesn't delay the main change happening.

(I'd prefer a setting in core, set by default, that stops any 'very weak' password being used in the first place, but that's for another feature request...)

[iandunn]

Replying to lovingboth:

If your site's email is compromised / being sniffed by an attacker, you're already stuffed

Ah, yeah, that's a good point. Nevermind :)

[birgire]

I was just curious how this could be implemented, since the password strength is estimated in Javascript.

37604.diff​ is POC implementation just to see if it would be possible:

• Adds the password strength score via JS to a hidden input on the reset password form.
• Validates the score input value in PHP after the form has been submitted.
• Adds the score to the 'validate_password_reset' action. (if one would like restrictions based on the score).
• Adds a score input to the functions reset_password() and wp_password_change_notification().
• Adds the password strength information to the password change notification.

There's a PHP implementation ​here, but I didn't look into that option.

The score has these possible values:

result.score              # 0, 1, 2, 3 or 4 if crack time is less than
                          # 10**2, 10**4, 10**6, 10**8, Infinity.

​https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/

Then WordPress also adds the values -1 (unknown) and 5 (mismatch) in wp-admin/js/password-strength-meter.js.