WordPress.org

Make WordPress Core

Opened 23 months ago

Last modified 2 months ago

#37604 new feature request

'Password Lost/Changed' emails should give indication of the strength of the new password

Reported by: lovingboth Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 3.7
Component: Security Keywords: has-patch 2nd-opinion
Focuses: Cc:

Description

When any user changes their password, the site's owner gets an email that currently just says:

"Password Lost and Changed for user: [username]"

It would help administrators if the email also included WordPress's assessment of the strength of the new one. I don't always agree with that assessment, but it is better than saying nothing.

As it is, there's no way to know if the user has just picked an extremely weak password and thanks to the repeated user privilege escalation exploit issues, even low level users with weak passwords can put the whole site at risk.

Attachments (1)

37604.diff (9.0 KB) - added by birgire 2 months ago.

Download all attachments as: .zip

Change History (6)

#1 @johnbillion
23 months ago

  • Component changed from General to Security
  • Keywords needs-patch added; password change removed
  • Milestone changed from Awaiting Review to Future Release
  • Version changed from 4.5.3 to 3.7

I quite like this idea.

#2 @iandunn
23 months ago

Is email a secure medium for transmitting that information? My impression is that SSL isn't ubiquitous yet, so in some cases we'd basically be telling attackers, "Hey, look! This user has a weak password." That impression could be outdated, though.

Perhaps the benefits of informing admins would outweigh the potential for leaking that info? If so, maybe it'd help to include a link in the email so that admins can reset weak passwords to strong ones with a single click.

#3 follow-up: @lovingboth
23 months ago

"I quite like this idea."

Me too :)

"Is email a secure medium for transmitting that information?"

If your site's email is compromised / being sniffed by an attacker, you're already stuffed because typically the user's login reset details have just been emailed. (If all of your email is compromised, you're even more stuffed!)

Plus emailing the current message already says 'here's a username and they've just changed their password.. so it's quite possibly not very good - get brute forcing it!' (Especially as there's no brute force protection in WordPress without installing a plugin or doing something at the server level.)

"maybe it'd help to include a link in the email so that admins can reset weak passwords to strong ones with a single click"

It would be a useful addition, if it doesn't delay the main change happening.

(I'd prefer a setting in core, set by default, that stops any 'very weak' password being used in the first place, but that's for another feature request...)

#4 in reply to: ↑ 3 @iandunn
23 months ago

Replying to lovingboth:

If your site's email is compromised / being sniffed by an attacker, you're already stuffed

Ah, yeah, that's a good point. Nevermind :)

@birgire
2 months ago

#5 @birgire
2 months ago

  • Keywords has-patch 2nd-opinion added; needs-patch removed

I was just curious how this could be implemented, since the password strength is estimated in Javascript.

37604.diff is POC implementation just to see if it would be possible:

  • Adds the password strength score via JS to a hidden input on the reset password form.
  • Validates the score input value in PHP after the form has been submitted.
  • Adds the score to the 'validate_password_reset' action. (if one would like restrictions based on the score).
  • Adds a score input to the functions reset_password() and wp_password_change_notification().
  • Adds the password strength information to the password change notification.

There's a PHP implementation here, but I didn't look into that option.

The score has these possible values:

result.score              # 0, 1, 2, 3 or 4 if crack time is less than
                          # 10**2, 10**4, 10**6, 10**8, Infinity.

https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/

Then WordPress also adds the values -1 (unknown) and 5 (mismatch) in wp-admin/js/password-strength-meter.js.

Note: See TracTickets for help on using tickets.