#57734 closed enhancement (wontfix)
9 chars instead of 12 in wp_get_password_hint()
Reported by: | drelkata | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Login and Registration | Keywords: | has-patch |
Focuses: | ui | Cc: |
Description
Wordpress uses zxcvbn to check password strengths and sets the minimum required strength to 3. wp_get_password_hint() mistakenly informs the user that a minimum password length of is 12 needed, when a length of 9 is actually being accepted.
I know that the hint wording uses should and not must, but WooCommerce, for instance, only shows the hint when your password strength is < 3, thus leading our users into believing they needed at least 12 characters and being confused when they managed to register with their shorter passwords. Minimum length of 12 for passwords is a good practice, of course, but the wording for the hint can easily be confused for an outright requirement.
Change History (4)
This ticket was mentioned in PR #4085 on WordPress/wordpress-develop by apenchev.
22 months ago
#1
#2
@
22 months ago
To clarify the WooCommerce bit a bit more: WooCommerce only shows Hint: The password should be at least twelve characters long. when you've entered less than 9 chars; inputting 9 or more chars would cause the hint to disappear and lead to confusion. Although this can be attributed as a WooCommerce issue, it only contributed more to my initial belief that the hint wording is misleading.
#3
@
22 months ago
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed
Hello and welcome to trac!
As WordPress doesn't enforce a minimum password length, as you guessed, the hint text is intended as advisory rather than enforcing any limits.
By default a one character password is accepted but the user must accept the weak password warning. Conversely, a user can receive the weak password warning for longer passwords, for example if I try to set my password to my username peterwilsoncc
(13 characters) I am warned as it matches the login.
For plugins that enforce a minimum password, WordPress provides the password_hint
filter to allow them to modify the text to indicate a minimum length password is required. If WooCommerce enforces a minimum password lenght, I suggest you log an issue in the plugin's issue tracker to suggest they alter the text.
I'm going to close this as wontfix as I think the current text is correct, WordPress is suggesting twelve or more characters and that is more secure than suggesting nine or more characters.
Enforcing strong passwords is being discussed in ticket #35817, although it seems unlikely it will be added.
Trac ticket: 9 chars instead of 12 in wp_get_password_hint()