Ridiculously Smart Password Meter Coming to WordPress 3.7

WordPress 3.7 is right around the corner with the beta out this weekend and the official release coming in mid-October. This release has a strong focus on improving WordPress security and includes automatic updates to help installs stay up to date with maintenance and security releases. If you install the beta and have a play, you’ll find some fancy, yet subtle changes under the hood.

WordPress 3.7 Helps New Users Make Better Password Decisions

Have you ever wondered whether or not password strength meters help anyone? They’re employed on nearly every website with user capabilities, including WordPress sites, which account for a large chunk of the web.

Password strength meters can help users select stronger passwords but only if the script the meter uses to estimate password strength is helpful. That’s why WordPress 3.7 will be making use of Dropbox’s zxcvbn library.

A cursory test of the new password meter in WordPress reveals that it is stricter in what it considers to be a strong password.

Password "pingpong" strength meter comparison
Password “pingpong” strength meter comparison

But the new password strength meter goes far beyond simply being “stricter” and is actually much smarter in how it performs its estimations.

Smarter Password Strength Estimations

The challenge of creating passwords that are easy for you to remember, yet difficult for hackers to crack, led to the common practice of l33t speak substitutions, ie. using 3 for e, 0 for o, etc. However, this practice is so common now that it’s quite easy for these kinds of passwords to be cracked. Nevertheless, password meters are still ranking these passwords as strong because they contain a combination of letters, numbers and symbols.

The zxcvbn library actually accounts for this and therefore its evaluation is not merely stricter but rather, it’s a smarter estimation of password strength. Whereas “G00dm0rn1ng!” may have previously been considered a strong password in WordPress 3.6, the new password meter rates it as being very weak.

Password "G00dm0rn1ng!" strength meter comparison
Password “G00dm0rn1ng!” strength meter comparison

It’s interesting to note that “G00dm0rn1ng!” scores very well on a password scoring checklist, but due to its common number/letter substitutions, it would not be considered a strong password by WordPress 3.7’s new password meter.

How does it perform better calculations? Well, this is a matter of some major geekery. zxcvbn first performs a match to see if the password entered matches against common passwords and patterns that are easy to crack. Currently it matches against:

  • Several dictionaries (English words, names and surnames, Burnett’s 10,000 common passwords)
  • Spatial keyboard patterns (QWERTY, Dvorak, and keypad patterns), repeats (aaa), sequences (123, gfedcba), years from 1900 to 2019, and dates (3-13-1997, 13.3.1997, 1331997).
  • Recognizes uppercasing and common l33t substitutions for all dictionaries

Secondly, it assigns the password a score based on entropy in bits. Password entropy is calculated by the number of times a space of possible passwords can be cut in half, as outlined by Dan Wheeler in his article explaining zxcvbn’s model of estimating realistic password strength.

zxcvbn calculates a password’s entropy to be the sum of its constituent patterns. Any gaps between matched patterns are treated as brute-force “patterns” that also contribute to the total entropy

This is a simple calculation but without checking for commonly used patterns, older methods of determining password entropy are too simplified to be useful.

Lastly, the search aspect of the model finds the simplest (lowest entropy) non-overlapping sequence after analyzing the possibilities for overlapping matches. It can then give a more accurate estimation of the complexity of the password structure.

All that to say, with the help of zxcvbn, WordPress is giving much more sound password advice to its users in 3.7. It’s important to note that WordPress doesn’t actually force you to use a stronger password. You can still go on using “admin123” if you want to leave all your doors unlocked for hackers. But the new password strength meter in WordPress 3.7 should help users make better decisions.


26 responses to “Ridiculously Smart Password Meter Coming to WordPress 3.7”

  1. In practice, I generate random passwords (at least 14 characters long, if the system allows it, which is silly there are sites that don’t) with 1Password. LastPass is another option, but that stores data in the cloud which might unsettle some people. Keypass is yet another option I’ve seen mentioned.

    These types of systems/platforms should force stronger passwords. WordPress is no different. Remembering, especially if you have more than one WordPress site, them might be a pain, which is understandable. (With ManageWP, that isn’t a problem.)

    Everyone is better off with better (and if that means it needs to be forced, then so be it) security practices.

  2. Password strength test sounds like an overdue update after reading your article, thanks for sharing. The part about ‘WordPress doesn’t actually force you to use a stronger password.’ That’s probably being saved for WordPress 3.8 huh?

  3. Finally, even too late few years :)

    I always use password manager such keepassx to generate at least 20 characters long. and why not add auto generate few password for example strong password ?

    lowercase letters, number, simbol

    Let say use p4$$w0RD
    use above recommendation but still weak

  4. Will there be an admin option to force users into having a password strength = > a particular level?

    I think that would be a great feature and the default could be set at very strong, forcing website owners to downgrade, prompting them at that stage again to recognise that a weak password could result in the site being compromised.

  5. hi sarah…..

    thanks for the ultra quick reply….I don’t want to remove the meter….I just want to make the restrictions a bit more “relaxed” because when I create a weak password I get this message:

    ERROR: You MUST Choose a password that rates at least Strong on the meter. Your setting have NOT been saved.

    basically, when someone signs up for my site, I want to allow them to create whatever password they want regardless of strength

    thanks….I hope that explains it


  6. I agree w/ Guy – I think this new strength meter is actually TOO strong.
    For the average user, being encouraged to create a password that is so complex that it can’t be remembered means that they will have to constantly go through the password reset routine.

    I use the Login Lockdown plugin to guard against brute force guessing attacks. Once you have that in place, lower entropy passwords are not such a risk. I’m not saying use “password” or “admin”, but the current system rates “AppleBanana_1945!” or “applebananafriend45” as weak passwords.

    Combine that plugin with usernames that are not “admin” and are never displayed on your site, and you’re pretty good, I would say.

    Would love to see the core move in that direction with security, but it doesn’t seem likely to happen.

  7. @Peter – security is a compromise. If your password is very hard to remember then it’s also very hard for a hacker/bot to guess.

    The compromise is in how usable the security measure is vs how much business value you put on your website/data.

    This will differ depending on what you use your website for.

    If it’s a blog for a hobby, then it may be an irritant if your site gets hacked but if you are a sole trader with an eCommerce site who’s living depends on it, then security is whole different ball game.

    Not just in the site being compromised but in customer trust and brand identity too.

    Have a look at some password services such as LastPass for storing and encrypting your passwords for use on multiple devices.

    • But Wil, the point, as per the XKCD cartoon, is that better passwords can be easy to remember “correcthorsebatterystaple” are in fact much better than short randomised strings. No need for the compromise if we are educated about the concept of entropy. In the critical situations you describe I would suggest moving to 2 factor authentication.

      Sarah, choosing to use a weak password isn’t necessarily about leaving the door unlocked, it is very useful for test environments which are on restricted networks. And to be honest, if a hacker gains access to our network the last thing we’d be worried about is them accessing a development instance of WordPress!


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: