Make WordPress Core

Opened 7 years ago

Last modified 7 years ago

#40149 new enhancement

WordPress password strength checking is improved, but the hint now doesn't help

Reported by: arjenlentz's profile arjenlentz Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.7.3
Component: Users Keywords: has-patch
Focuses: Cc:


WordPress 4.7 has vastly improved password strength checking.
This is great.

However, the password hint function wp_get_password_hint() provides information that's essentially contradicting the approach that the password checker uses.
Mind that the check tool now used (built by someone at Dropbox) takes into account that (for instance) random word phrases are easy to remember as well as difficult to crack, while using upper/lowercase and letter->digit substitution are easy to crack while being more of a hassle to remember.
Ref also the famous XKCD cartoon on this topic:

What does the WP Core default string read?

'Hint: The password should be at least twelve characters long. To make it stronger, use upper and lower case letters, numbers, and symbols like ! " ? $ % ^ & ).'

Yes we can override this using the 'password_hint' filter, however I think it'd be great to provide a better base text for default installs.

Proposed new text:

 'Hint: longer is stronger (at least 12 characters), and consider using a sequence of random words (ideally non-English).'

Attachments (1)

40149.diff (698 bytes) - added by lukecavanagh 7 years ago.
Basic patch

Download all attachments as: .zip

Change History (4)

#1 @SergeyBiryukov
7 years ago

  • Component changed from General to Users

7 years ago

Basic patch

#2 @lukecavanagh
7 years ago

  • Keywords has-patch added

#3 @arjenlentz
7 years ago

Surely this can be merged into core? @lukecavanagh even provided a patch.

We're now at 4.8.2 and sites are still showing the old string which provides users with incorrect hints.

Note: See TracTickets for help on using tickets.