WordPress.org
Get WordPress

Make WordPress Core

Opened 8 years ago

Last modified 5 days ago

#44333 new defect (bug)

Password hint label needs to be re-worded and needs to have a minimum password length check

Reported by: subrataemfluence's profile subrataemfluence Owned by:
Milestone: Awaiting Review Priority: normal
Severity: major Version:
Component: Login and Registration Keywords: dev-feedback has-patch
Focuses: administration Cc:

Description

When resetting password, the help text under password box says:

Hint: The password should be at least twelve characters long. To make it stronger, use upper and lower case letters, numbers, and symbols like ! " ? $ % ^ & ).

Although it says should be at least twelve characters long, I am able to use only one character!

  1. The above help text needs to be re-worded with some like: 
Hint: The recommended length of the password should be at least twelve characters and must have at least X characters. To make it stronger, use upper and lower case letters, numbers, and symbols like ! " ? $ % ^ & ).

X can be a number say 6, 8 etc.

  1. I believe there needs to be a minimum length check.

Change History (5)

#1 @subrataemfluence
8 years ago

  • Severity changed from normal to major

#2 @joyously
8 years ago

"should" does not equal "must".

The password functions are pluggable.

#3 @subrataemfluence
8 years ago

Thank you for telling me the difference! Even it is pluggable I think to have a guarding for a minimum length of password is a good idea to have upfront. I hope this makes some sense. Please correct me if you think I am wrong.

#4 @swissspidy
8 years ago

Even it is pluggable I think to have a guarding for a minimum length of password is a good idea to have upfront

Sounds like a duplicate of #35817 to me.

This ticket was mentioned in PR #12081 on WordPress/wordpress-develop by @yashyadav247.
5 days ago #5

  • Keywords has-patch added; needs-patch removed

On the password reset screen (wp-login.php?action=resetpass), the help text from wp_get_password_hint() said the password “should be at least twelve characters long,” which reads like a requirement. Core does not enforce a minimum length on reset; users can still save short passwords (including via “Confirm use of weak password”). That mismatch was reported in #44333.

This change rewords the default hint so it clearly describes a recommendation, not enforced policy, while keeping the twelve-character guidance and composition tips. A short docblock note was added to document that the hint is advisory.

Scope: Hint text and documentation only. No server-side minimum length validation (related discussion: #35817).

Changed file: src/wp-includes/user.php — wp_get_password_hint()

Note: See TracTickets for help on using tickets.