#39817 closed defect (bug) (invalid)
Confusing password strength behavior
Reported by: | mgriesde | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.7.2 |
Component: | Login and Registration | Keywords: | |
Focuses: | Cc: |
Description (last modified by )
Hi all,
we're using WordPress together with the lifterLMS plugin. lifterLMS uses standard WordPress passwort strength functionality.
We've enabled to force strong passwords. Also to display the password strength meter. As a hint for our customer a text is displayed, that they should use at least 6 characters, a combination of alphanumeric and numeric characters and special characters.
But not in every case the password is interpreted to be strong. For example:
mfjg#0
=> just medium (meets the above mentioned requirement)
mfjg#08
=> strong
mfjg#081
=> medium (confusing, because it has one more character...)
mfjg#0815
=> strong (again...)
So what are the concrete password rules? I don't understand the behavior how the password strength is calculated. Also our customers don't.
Thanks in advance
Matthias
Attachments (4)
Change History (11)
#3
@
8 years ago
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from new to closed
Welcome to trac mgriesde. The Password strength meter works off of entropy and estimated time to crack a password. Some of the internals are a bit complicated which is why it can produce slightly unexpected results, but essentially.
There is a great Video and paper explaining the password strength meter from a security conference and a introductory blog post about available as well
The rule of thumb isn't some magic combination of numbers, letters, and symbols but length and uniqueness. (relevant XKCD
I'm closing this as invalid since as far as I can tell, the password strength meter is working as expected and there is no bug but feel free to ask for further clarification and I'll help to the best of my time and abilities.
#4
@
8 years ago
- Resolution invalid deleted
- Status changed from closed to reopened
Hi all,
thanks for your investigation. I've just set up a new WordPress installation by my hoster. It's clean. No lifterLMS, just some pre-installed plugins. Just "Limit Login Attempts" is activated.
When a directly administer a user in the core WordPress UI then I still get the same strange behavior. See attached screen shots.
So for me it seems a "problem" of WordPress core. Please have a look.
Kind regards
Matthias
#5
@
8 years ago
- Resolution set to invalid
- Status changed from reopened to closed
I can't reproduce your results on a clean install of WordPress 4.7
Are you absolutely sure you're testing with NO other plugins installed? Keep in mind, some hosts preinstall and configure plugins for you.
Please leave this ticket closed. We can keep talking in it, and if it turns out to be something wrong with core, we can reopen it, but right now the behavior is as expected.
#6
@
8 years ago
Thanks!
I've just deleted all plugins from my test installation at my hosting provider. Nothing installed but Word Press 4.7.2 in German.
Strange behavior is still the same. I also switched the language to English. Didn't help. So I've no idea...
#7
@
8 years ago
I've also just installed WordPress locally using XAMPP and the actual download from https://wordpress.org/latest.zip. Nothing else. I've chosen German language during installation.
So it's a totally clean installation.
Nevertheless I get the same strange password behavior for this local installation.
WordPress uses the following library for passwords: https://github.com/dropbox/zxcvbn
You can read about it in detail here: https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/
And you can test passwords here: https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html
Okay so WHY are those results what you get?
Well I'm not sure since I get a WEAK score for
mfjg#08
:) - https://cloudup.com/c3ZO38TDv36 andmfjg#0815
only gets me up to medium.Do you maybe have a setting in Lifter or some other plugin that is messing with that?