WordPress.org

Make WordPress Core

Opened 3 months ago

Closed 2 months ago

Last modified 2 months ago

#39817 closed defect (bug) (invalid)

Confusing password strength behavior

Reported by: mgriesde Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.7.2
Component: Login and Registration Keywords:
Focuses: Cc:

Description (last modified by SergeyBiryukov)

Hi all,

we're using WordPress together with the lifterLMS plugin. lifterLMS uses standard WordPress passwort strength functionality.

We've enabled to force strong passwords. Also to display the password strength meter. As a hint for our customer a text is displayed, that they should use at least 6 characters, a combination of alphanumeric and numeric characters and special characters.

But not in every case the password is interpreted to be strong. For example:

mfjg#0 => just medium (meets the above mentioned requirement)

mfjg#08 => strong

mfjg#081 => medium (confusing, because it has one more character...)

mfjg#0815 => strong (again...)

So what are the concrete password rules? I don't understand the behavior how the password strength is calculated. Also our customers don't.

Thanks in advance

Matthias

Attachments (4)

password_version_1.JPG (13.9 KB) - added by mgriesde 2 months ago.
password_version_2.JPG (14.7 KB) - added by mgriesde 2 months ago.
password_version_3.JPG (14.1 KB) - added by mgriesde 2 months ago.
password_version_4.JPG (14.1 KB) - added by mgriesde 2 months ago.

Download all attachments as: .zip

Change History (11)

#1 @SergeyBiryukov
3 months ago

  • Description modified (diff)

#2 @Ipstenu
3 months ago

WordPress uses the following library for passwords: https://github.com/dropbox/zxcvbn

You can read about it in detail here: https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/

And you can test passwords here: https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html

Okay so WHY are those results what you get?

Well I'm not sure since I get a WEAK score for mfjg#08 :) - https://cloudup.com/c3ZO38TDv36 and mfjg#0815 only gets me up to medium.

Do you maybe have a setting in Lifter or some other plugin that is messing with that?

#3 @jorbin
3 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Welcome to trac mgriesde. The Password strength meter works off of entropy and estimated time to crack a password. Some of the internals are a bit complicated which is why it can produce slightly unexpected results, but essentially.

There is a great Video and paper explaining the password strength meter from a security conference and a introductory blog post about available as well

The rule of thumb isn't some magic combination of numbers, letters, and symbols but length and uniqueness. (relevant XKCD

I'm closing this as invalid since as far as I can tell, the password strength meter is working as expected and there is no bug but feel free to ask for further clarification and I'll help to the best of my time and abilities.

#4 @mgriesde
2 months ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

Hi all,

thanks for your investigation. I've just set up a new WordPress installation by my hoster. It's clean. No lifterLMS, just some pre-installed plugins. Just "Limit Login Attempts" is activated.

When a directly administer a user in the core WordPress UI then I still get the same strange behavior. See attached screen shots.

So for me it seems a "problem" of WordPress core. Please have a look.

Kind regards
Matthias

#5 @Ipstenu
2 months ago

  • Resolution set to invalid
  • Status changed from reopened to closed

I can't reproduce your results on a clean install of WordPress 4.7

Are you absolutely sure you're testing with NO other plugins installed? Keep in mind, some hosts preinstall and configure plugins for you.

Please leave this ticket closed. We can keep talking in it, and if it turns out to be something wrong with core, we can reopen it, but right now the behavior is as expected.

#6 @mgriesde
2 months ago

Thanks!

I've just deleted all plugins from my test installation at my hosting provider. Nothing installed but Word Press 4.7.2 in German.

Strange behavior is still the same. I also switched the language to English. Didn't help. So I've no idea...

#7 @mgriesde
2 months ago

I've also just installed WordPress locally using XAMPP and the actual download from https://wordpress.org/latest.zip. Nothing else. I've chosen German language during installation.

So it's a totally clean installation.

Nevertheless I get the same strange password behavior for this local installation.

Note: See TracTickets for help on using tickets.