Opened 8 years ago
Last modified 7 years ago
#40149 new enhancement
WordPress password strength checking is improved, but the hint now doesn't help
Reported by: | arjenlentz | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 4.7.3 |
Component: | Users | Keywords: | has-patch |
Focuses: | Cc: |
Description
WordPress 4.7 has vastly improved password strength checking.
This is great.
However, the password hint function wp_get_password_hint() provides information that's essentially contradicting the approach that the password checker uses.
Mind that the check tool now used (built by someone at Dropbox) takes into account that (for instance) random word phrases are easy to remember as well as difficult to crack, while using upper/lowercase and letter->digit substitution are easy to crack while being more of a hassle to remember.
Ref also the famous XKCD cartoon on this topic: https://xkcd.com/936/
What does the WP Core default string read?
'Hint: The password should be at least twelve characters long. To make it stronger, use upper and lower case letters, numbers, and symbols like ! " ? $ % ^ & ).'
Yes we can override this using the 'password_hint' filter, however I think it'd be great to provide a better base text for default installs.
Proposed new text:
'Hint: longer is stronger (at least 12 characters), and consider using a sequence of random words (ideally non-English).'
Basic patch