make WordPress password management more “understandable”?

[ludovicsclain]

Hey there 👋
I’m not sure I’m in the right place to suggest something but here I go:
Are there plans to make WordPress password management more “understandable”?

Let me explain :
when my users need to change their password (after a lost password or an expiration), the “Save password” is confusing, most forget to copy/paste this password somewhere and understand that the password has been saved.

​https://markuphero.com/share/N8RP1UaE0rIYXih6TxiI

If in addition the user is used to having his browser save his passwords, the confusion is even greater: the user clicks on “Save password”, returns to the login page, the browser automatically fills in the fields (with the old password) and obviously… login failure!

I use cPanel and just had to create a new database, I find the user experience more explicit: I have a “Password generator” button and then a mandatory checkbox “I have copied this password in a safe place.” then finally a “Use password”.

What do you think ? Am I the only one who thinks these steps deserve a better UX? 😬

[georgestephanis]

I think this may have gotten lost in the Application Passwords component -- when this (by my reading) is intending to address actual password change flow.

I'm adjusting it to the "Users / Login and Registration" component, which I believe would be the relevant place for discussing user password change flows.

I believe that generally when a password field is submitted to the site with a different password than a password manager expects, it will kick off a flow in a password manager to update the existing password, but it could vary based on the password manager being used.

I'd be curious to see a "proof of concept" plugin for an improved, more explicit flow, to serve as a proposal for this iteration in core!

[ludovicsclain]

Replying to georgestephanis:

I think this may have gotten lost in the Application Passwords component -- when this (by my reading) is intending to address actual password change flow.

I'm adjusting it to the "Users / Login and Registration" component, which I believe would be the relevant place for discussing user password change flows.

I believe that generally when a password field is submitted to the site with a different password than a password manager expects, it will kick off a flow in a password manager to update the existing password, but it could vary based on the password manager being used.

I'd be curious to see a "proof of concept" plugin for an improved, more explicit flow, to serve as a proposal for this iteration in core!

Thank you @georgestephanis for considering my request, I can indeed think of a plugin improving all of this, but by doing some research I realize that solutions have already been mentioned on other tickets but that they have not been followed:

https://core.trac.wordpress.org/ticket/39638#comment:23

Notably when @estelaris explains that his host implemented the way cPanel manages passwords in WordPress, this is the direction I was proposing.

[audrasjb]

Moving to 6.7 with the needs-design-feedback and needs-copy-review workflow keywords.

[ludovicsclain]

Hi guys !

Things have changed a bit since this ticket was opened over a year ago, and I've just updated myself to the latest version of WordPress and see how this could be achieved.

Still as suggested by @estelaris here https://core.trac.wordpress.org/ticket/39638#comment:23 (I'm repeating myself, I know 😜 ), cPanel has a way of managing passwords for its SQL database users interesting.

Look instead:

In the same vein, I tried to add javascript to obtain a checkbox I have copied this password in a safe place. which would disable the submit button if it is not checked.

Also, to be less confusing with saving passwords from password management extensions or the browser, go for a button that says Use this Password rather than Save Password.

I haven't quite succeeded with my visual examples, but I hope you get the idea, and obviously adding advanced options to "harden" the password like cPanel does would be great (or even offer the possibility of locking the minimum security level of a password to “medium” and not authorizing “tweak”… to see!).

Thank you for your attention, this is the first time I'm working here, I hope I'm doing it correctly 🙏 

Warm regards from 🇷🇪,
Ludovic

[ludovicsclain]

Hello everyone,

I'm pleased to share that, following the discussion on this ticket, I've developed a proof-of-concept plugin named PassMazing Flow. This plugin aims to enhance the password management experience in WordPress by introducing a more explicit and user-friendly flow. Key features include:

• A confirmation checkbox requiring users to acknowledge they've saved their new password.
• Clearer button labeling to reduce confusion during password changes.

These enhancements are designed to address the usability concerns highlighted earlier in this thread.

The plugin will be available (tomorrow) on the WordPress Plugin Repository: [PassMazing Flow](​https://wordpress.org/plugins/passmazing-flow/)

I invite you all to test it, provide feedback, and contribute to its improvement. Your insights will be invaluable in refining this approach and potentially informing future iterations in WordPress core.

Thank you for your attention and support.

Best regards,
Ludovic