Make WordPress Core

Opened 22 months ago

Closed 22 months ago

Last modified 22 months ago

#57734 closed enhancement (wontfix)

9 chars instead of 12 in wp_get_password_hint()

Reported by: drelkata's profile drelkata Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords: has-patch
Focuses: ui Cc:

Description

Wordpress uses zxcvbn to check password strengths and sets the minimum required strength to 3. wp_get_password_hint() mistakenly informs the user that a minimum password length of is 12 needed, when a length of 9 is actually being accepted.

I know that the hint wording uses should and not must, but WooCommerce, for instance, only shows the hint when your password strength is < 3, thus leading our users into believing they needed at least 12 characters and being confused when they managed to register with their shorter passwords. Minimum length of 12 for passwords is a good practice, of course, but the wording for the hint can easily be confused for an outright requirement.

Change History (4)

#2 @drelkata
22 months ago

To clarify the WooCommerce bit a bit more: WooCommerce only shows Hint: The password should be at least twelve characters long. when you've entered less than 9 chars; inputting 9 or more chars would cause the hint to disappear and lead to confusion. Although this can be attributed as a WooCommerce issue, it only contributed more to my initial belief that the hint wording is misleading.

Last edited 22 months ago by drelkata (previous) (diff)

#3 @peterwilsoncc
22 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Hello and welcome to trac!

As WordPress doesn't enforce a minimum password length, as you guessed, the hint text is intended as advisory rather than enforcing any limits.

By default a one character password is accepted but the user must accept the weak password warning. Conversely, a user can receive the weak password warning for longer passwords, for example if I try to set my password to my username peterwilsoncc (13 characters) I am warned as it matches the login.

For plugins that enforce a minimum password, WordPress provides the password_hint filter to allow them to modify the text to indicate a minimum length password is required. If WooCommerce enforces a minimum password lenght, I suggest you log an issue in the plugin's issue tracker to suggest they alter the text.

I'm going to close this as wontfix as I think the current text is correct, WordPress is suggesting twelve or more characters and that is more secure than suggesting nine or more characters.

Enforcing strong passwords is being discussed in ticket #35817, although it seems unlikely it will be added.

#4 @drelkata
22 months ago

Understood, thank you for your reply.

Note: See TracTickets for help on using tickets.