Opened 8 years ago
Closed 8 years ago
#40234 closed enhancement (duplicate)
Do not allow weak passwords
Reported by: | robdxw | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.3 |
Component: | Security | Keywords: | 2nd-opinion ux-feedback |
Focuses: | Cc: |
Description (last modified by )
As noted previously (#21737), people are notoriously bad at choosing secure passwords. And passwords protect not only the integrity of the individual account but also the integrity of the system as a whole.
Therefore, allowing users to set weak passwords (even if they are nagged for doing so) compromises the security of any site that is running WordPress with the default password settings.
This could be mitigated by simply not allowing passwords that do not meet at minimum the "medium" strength requirements, or at least providing a site or network-wide checkbox setting to enforce such a policy.
Change History (8)
#5
@
8 years ago
I think something like this can easily backfire if it's not done very thoughtfully, and from a user-first perspective. Anything that places too high a burden on the average user will just push them to use insecure workarounds to relieve that burden, like writing the password down on a post-it note stuck to their monitor.
I agree with Jeff Atwood's recent article on the topic, which seems to be in line with WordPress' general philosophy. He references NIST's latest recommendations to back up his argument. His conclusion was that the only rule that is effective and user-friendly is length.
If we are going to add any hard rules, then I think it might be helpful to first educate users about the reasons why strong passwords are important, and offer easy ways for them to use them (#40237). That way they'll be more likely to be receptive to any rules.
#6
@
8 years ago
@iandunn zxcvbn, which is used for the password strength meter, does not have "rules" so much as "strength" levels that are based on the amount of entropy that they call "guesses". The current version (included in 4.8) has an option to surface specific, helpful information about why weak passwords are considered weak. It can also make some simple suggestions on how to make it better. I don't believe this new functionality is being used in 4.8, but I might be mistaken.
#7
@
8 years ago
@iandunn
It is just strength levels, not hard rules.
https://core.trac.wordpress.org/browser/tags/4.7.3/src/wp-includes/script-loader.php#L399
https://core.trac.wordpress.org/browser/tags/4.7.3/src/wp-admin/js/password-strength-meter.js
I am all for being able to set a site wide option to set the password strength to at least medium strength for all users on the site.