26 Comments

  1. Ipstenu (Mika E)

    Obligatory xkcd comic: http://xkcd.com/936/

    Report

  2. Ryan Hellyer

    Here’s the result I got for “1234567890abcdefghijklmnopqrstuvwxyz”:
    http://stuff.ryanhellyer.net/wordpress-3-7-password.png

    Report

  3. James Mowery

    In practice, I generate random passwords (at least 14 characters long, if the system allows it, which is silly there are sites that don’t) with 1Password. LastPass is another option, but that stores data in the cloud which might unsettle some people. Keypass is yet another option I’ve seen mentioned.

    These types of systems/platforms should force stronger passwords. WordPress is no different. Remembering, especially if you have more than one WordPress site, them might be a pain, which is understandable. (With ManageWP, that isn’t a problem.)

    Everyone is better off with better (and if that means it needs to be forced, then so be it) security practices.

    Report

  4. DaveZ

    Can the auto updates be disabled?

    Report

  5. Xpean

    A password generator would be much appreciated in 3.7

    Report

  6. Guy Cook

    Password strength test sounds like an overdue update after reading your article, thanks for sharing. The part about ‘WordPress doesn’t actually force you to use a stronger password.’ That’s probably being saved for WordPress 3.8 huh?

    Report

  7. Tommy Surbakti

    Finally, even too late few years :)

    I always use password manager such keepassx to generate at least 20 characters long. and why not add auto generate few password for example strong password ?

    lowercase letters, number, simbol

    Let say use p4$$w0RD
    use above recommendation but still weak

    Report

  8. Otto

    If you want to do tests against the zxcvbn library, there’s a demo page that uses it here which gives you more information about how it matches passwords:

    https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html

    It shows the breakdown of whatever password you type in and how it considers it.

    Report

  9. Sarah Gooding

    @Otto – Awesome! Thanks for that link :)

    Report

  10. Scott Dunn

    Pleased to see that 5 of my passwords all result in centuries to break.

    Glad to see WordPress focus on security this release!

    Report

  11. Wil Brown

    Will there be an admin option to force users into having a password strength = > a particular level?

    I think that would be a great feature and the default could be set at very strong, forcing website owners to downgrade, prompting them at that stage again to recognise that a weak password could result in the site being compromised.

    Report

  12. Janw Oostendorp

    @James Mowery
    I use KeePass in combination with FireFox and love is.
    Use it to store a lot of sensitive information

    Report

  13. WPWeekly Episode 122 – Code Revisions And Core

    […] 3.7 beta 1 released Ridiculously smart password meter coming to WordPress 3.7 Should code revisions be added to WordPress core? New Profile Design For WordPress.org WPEngine CEO […]

    Report

  14. L’Hebdo WordPress n°202 : | WordPress Francophone

    […] Gooding présente le nouveau testeur de mot de passe (en) qui fera son entrée dans WordPress 3.7. Dérivé de la technologie développée par Dropbox il […]

    Report

  15. WordPress Francophone : L’Hebdo WordPress n°202 : WordCamp Europe 2013 – WordPress 3.7 – Traduction - WordPress Actualités : WordPress Actualités

    […] Gooding présente le nouveau testeur de mot de passe (en) qui fera son entrée dans WordPress 3.7. Dérivé de la technologie développée par Dropbox il […]

    Report

  16. Your Passwords Are Not Secure (and how to fix it)

    […] UPDATE: The Dropbox password strength meter explained in this post is added to WordPress 3.7. You can read an article about it on WP Tavern. […]

    Report

  17. WordPress 3.7 behind the obvious | tinyGod

    […] vision of making WordPress upgrades as silent as Chrome browser does. It also introduces a better meter when choosing passwords, which is awesome. But for us, wannabe-developers, there are so many tiny […]

    Report

  18. Should WordPress Include a Password Generator?

    […] 3.7 made strong strides towards helping users create stronger passwords with the new password strength meter, powered by the zxcvbn library. Despite having this excellent tool available, many users have […]

    Report

  19. Guy Lerner

    Sarah

    I would like to “relax” the password restrictions in WP 3.7 , but I don’t see how to do this.

    Can you provide some direction?

    thanks

    gml

    Report

  20. Sarah Gooding

    @Guy Lerner – I’m not aware of any password restrictions. You can still use “admin” for your password if you want to. I would not advise removing the password strength meter.

    Report

  21. Guy Lerner

    hi sarah…..

    thanks for the ultra quick reply….I don’t want to remove the meter….I just want to make the restrictions a bit more “relaxed” because when I create a weak password I get this message:

    ERROR: You MUST Choose a password that rates at least Strong on the meter. Your setting have NOT been saved.

    basically, when someone signs up for my site, I want to allow them to create whatever password they want regardless of strength

    thanks….I hope that explains it

    gml

    Report

  22. Peter Wise

    I agree w/ Guy – I think this new strength meter is actually TOO strong.
    For the average user, being encouraged to create a password that is so complex that it can’t be remembered means that they will have to constantly go through the password reset routine.

    I use the Login Lockdown plugin to guard against brute force guessing attacks. Once you have that in place, lower entropy passwords are not such a risk. I’m not saying use “password” or “admin”, but the current system rates “AppleBanana_1945!” or “applebananafriend45” as weak passwords.

    Combine that plugin with usernames that are not “admin” and are never displayed on your site, and you’re pretty good, I would say.

    Would love to see the core move in that direction with security, but it doesn’t seem likely to happen.

    Report

  23. Wil

    @Peter – security is a compromise. If your password is very hard to remember then it’s also very hard for a hacker/bot to guess.

    The compromise is in how usable the security measure is vs how much business value you put on your website/data.

    This will differ depending on what you use your website for.

    If it’s a blog for a hobby, then it may be an irritant if your site gets hacked but if you are a sole trader with an eCommerce site who’s living depends on it, then security is whole different ball game.

    Not just in the site being compromised but in customer trust and brand identity too.

    Have a look at some password services such as LastPass for storing and encrypting your passwords for use on multiple devices.

    Report

    • jez

      But Wil, the point, as per the XKCD cartoon, is that better passwords can be easy to remember “correcthorsebatterystaple” are in fact much better than short randomised strings. No need for the compromise if we are educated about the concept of entropy. In the critical situations you describe I would suggest moving to 2 factor authentication.

      Sarah, choosing to use a weak password isn’t necessarily about leaving the door unlocked, it is very useful for test environments which are on restricted networks. And to be honest, if a hacker gains access to our network the last thing we’d be worried about is them accessing a development instance of WordPress!

      Report

  24. WordPress Security Checklist : Clef

    […] 3. Ensure that, when you do use passwords, you use strong ones. Luckily, since WordPress 3.7 (which you should most definitely have) there’s a great password strength meter built in. […]

    Report

  25. [Mistakes #10] Five Common WordPress Security Mistakes … and How to Fix Them | Marketing Aces

    […] it: Starting with version 3.7, WordPress has a smarter password strength meter. Use it to make a stronger password. You can’t remember many passwords, so use a password […]

    Report

Comments are closed.

%d bloggers like this: