Make WordPress Core

Opened 20 months ago

Last modified 3 months ago

#57540 accepted enhancement

make WordPress password management more “understandable”?

Reported by: ludovicsclain's profile ludovicsclain Owned by: audrasjb's profile audrasjb
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.1.1
Component: Login and Registration Keywords: needs-copy-review needs-design-feedback needs-patch
Focuses: Cc:

Description

Hey there 👋
I’m not sure I’m in the right place to suggest something but here I go:
Are there plans to make WordPress password management more “understandable”?

Let me explain :
when my users need to change their password (after a lost password or an expiration), the “Save password” is confusing, most forget to copy/paste this password somewhere and understand that the password has been saved.

https://markuphero.com/share/N8RP1UaE0rIYXih6TxiI

If in addition the user is used to having his browser save his passwords, the confusion is even greater: the user clicks on “Save password”, returns to the login page, the browser automatically fills in the fields (with the old password) and obviously… login failure!

I use cPanel and just had to create a new database, I find the user experience more explicit: I have a “Password generator” button and then a mandatory checkbox “I have copied this password in a safe place.” then finally a “Use password”.

What do you think ? Am I the only one who thinks these steps deserve a better UX? 😬

Change History (4)

#1 follow-up: @georgestephanis
7 months ago

  • Component changed from Application Passwords to Login and Registration

I think this may have gotten lost in the Application Passwords component -- when this (by my reading) is intending to address actual password change flow.

I'm adjusting it to the "Users / Login and Registration" component, which I believe would be the relevant place for discussing user password change flows.

I believe that generally when a password field is submitted to the site with a different password than a password manager expects, it will kick off a flow in a password manager to update the existing password, but it could vary based on the password manager being used.

I'd be curious to see a "proof of concept" plugin for an improved, more explicit flow, to serve as a proposal for this iteration in core!

#2 in reply to: ↑ 1 @ludovicsclain
7 months ago

Replying to georgestephanis:

I think this may have gotten lost in the Application Passwords component -- when this (by my reading) is intending to address actual password change flow.

I'm adjusting it to the "Users / Login and Registration" component, which I believe would be the relevant place for discussing user password change flows.

I believe that generally when a password field is submitted to the site with a different password than a password manager expects, it will kick off a flow in a password manager to update the existing password, but it could vary based on the password manager being used.

I'd be curious to see a "proof of concept" plugin for an improved, more explicit flow, to serve as a proposal for this iteration in core!

Thank you @georgestephanis for considering my request, I can indeed think of a plugin improving all of this, but by doing some research I realize that solutions have already been mentioned on other tickets but that they have not been followed:

https://core.trac.wordpress.org/ticket/39638#comment:23

Notably when @estelaris explains that his host implemented the way cPanel manages passwords in WordPress, this is the direction I was proposing.

#3 @audrasjb
3 months ago

  • Keywords needs-copy-review needs-design-feedback needs-patch added
  • Owner set to audrasjb
  • Status changed from new to accepted

Moving to 6.7 with the needs-design-feedback and needs-copy-review workflow keywords.

#4 @ludovicsclain
3 months ago

Hi guys !

Things have changed a bit since this ticket was opened over a year ago, and I've just updated myself to the latest version of WordPress and see how this could be achieved.

Still as suggested by @estelaris here https://core.trac.wordpress.org/ticket/39638#comment:23 (I'm repeating myself, I know 😜 ), cPanel has a way of managing passwords for its SQL database users interesting.

Look instead:

https://ludovicclain.com/wp-content/uploads/2024/06/CleanShot-2024-06-20-at-20.40.03.gif

In the same vein, I tried to add javascript to obtain a checkbox I have copied this password in a safe place. which would disable the submit button if it is not checked.

Also, to be less confusing with saving passwords from password management extensions or the browser, go for a button that says Use this Password rather than Save Password.

https://ludovicclain.com/wp-content/uploads/2024/06/CleanShot-2024-06-20-at-20.37.56.gif

I haven't quite succeeded with my visual examples, but I hope you get the idea, and obviously adding advanced options to "harden" the password like cPanel does would be great (or even offer the possibility of locking the minimum security level of a password to “medium” and not authorizing “tweak”… to see!).

Thank you for your attention, this is the first time I'm working here, I hope I'm doing it correctly 🙏 

Warm regards from 🇷🇪,
Ludovic

Note: See TracTickets for help on using tickets.