26 Comments


  1. In practice, I generate random passwords (at least 14 characters long, if the system allows it, which is silly there are sites that don’t) with 1Password. LastPass is another option, but that stores data in the cloud which might unsettle some people. Keypass is yet another option I’ve seen mentioned.

    These types of systems/platforms should force stronger passwords. WordPress is no different. Remembering, especially if you have more than one WordPress site, them might be a pain, which is understandable. (With ManageWP, that isn’t a problem.)

    Everyone is better off with better (and if that means it needs to be forced, then so be it) security practices.

    Reply

  2. Password strength test sounds like an overdue update after reading your article, thanks for sharing. The part about ‘WordPress doesn’t actually force you to use a stronger password.’ That’s probably being saved for WordPress 3.8 huh?

    Reply

  3. Finally, even too late few years :)

    I always use password manager such keepassx to generate at least 20 characters long. and why not add auto generate few password for example strong password ?

    lowercase letters, number, simbol

    Let say use p4$$w0RD
    use above recommendation but still weak

    Reply

  4. Pleased to see that 5 of my passwords all result in centuries to break.

    Glad to see WordPress focus on security this release!

    Reply

  5. Will there be an admin option to force users into having a password strength = > a particular level?

    I think that would be a great feature and the default could be set at very strong, forcing website owners to downgrade, prompting them at that stage again to recognise that a weak password could result in the site being compromised.

    Reply







  6. Sarah

    I would like to “relax” the password restrictions in WP 3.7 , but I don’t see how to do this.

    Can you provide some direction?

    thanks

    gml

    Reply

  7. @Guy Lerner – I’m not aware of any password restrictions. You can still use “admin” for your password if you want to. I would not advise removing the password strength meter.

    Reply

  8. hi sarah…..

    thanks for the ultra quick reply….I don’t want to remove the meter….I just want to make the restrictions a bit more “relaxed” because when I create a weak password I get this message:

    ERROR: You MUST Choose a password that rates at least Strong on the meter. Your setting have NOT been saved.

    basically, when someone signs up for my site, I want to allow them to create whatever password they want regardless of strength

    thanks….I hope that explains it

    gml

    Reply

  9. I agree w/ Guy – I think this new strength meter is actually TOO strong.
    For the average user, being encouraged to create a password that is so complex that it can’t be remembered means that they will have to constantly go through the password reset routine.

    I use the Login Lockdown plugin to guard against brute force guessing attacks. Once you have that in place, lower entropy passwords are not such a risk. I’m not saying use “password” or “admin”, but the current system rates “AppleBanana_1945!” or “applebananafriend45″ as weak passwords.

    Combine that plugin with usernames that are not “admin” and are never displayed on your site, and you’re pretty good, I would say.

    Would love to see the core move in that direction with security, but it doesn’t seem likely to happen.

    Reply

  10. @Peter – security is a compromise. If your password is very hard to remember then it’s also very hard for a hacker/bot to guess.

    The compromise is in how usable the security measure is vs how much business value you put on your website/data.

    This will differ depending on what you use your website for.

    If it’s a blog for a hobby, then it may be an irritant if your site gets hacked but if you are a sole trader with an eCommerce site who’s living depends on it, then security is whole different ball game.

    Not just in the site being compromised but in customer trust and brand identity too.

    Have a look at some password services such as LastPass for storing and encrypting your passwords for use on multiple devices.

    Reply

    • But Wil, the point, as per the XKCD cartoon, is that better passwords can be easy to remember “correcthorsebatterystaple” are in fact much better than short randomised strings. No need for the compromise if we are educated about the concept of entropy. In the critical situations you describe I would suggest moving to 2 factor authentication.

      Sarah, choosing to use a weak password isn’t necessarily about leaving the door unlocked, it is very useful for test environments which are on restricted networks. And to be honest, if a hacker gains access to our network the last thing we’d be worried about is them accessing a development instance of WordPress!

      Reply


Leave a Reply