Should WordPress Include a Password Generator?

WordPress 3.7 made big strides towards helping users create stronger passwords with the new password strength meter, powered by the zxcvbn library. Despite having this excellent tool available, many users have admitted that they are in fact too lazy to come up with a strong password and would prefer to have a password generator available within the WordPress admin.

Aaron Campbell opened a trac ticket on a related topic five years ago, requesting a button that generates a random password to use when creating a new user account in the admin section. Brad Williams chimed in on the original ticket to suggest the cPanel password generator as a good UI example of how WordPress might include this feature. The same idea was also presented by Ryan Duff two years ago in a post on the WordPress Ideas page. While the password strength meter is now active on this screen, you still need to create the password yourself.

Proposal to Add Simple User Password Generator to Core

password-generatorSeveral months ago, Pippin Williamson created a new ticket, proposing the inclusion of the Simple User Password Generator plugin, created by the folks at 10up, to accomplish this. This plugin also adds an option to encourage the user to change his password when logged in to the admin. It also has an option to send existing users the new, auto-generated password. It looks like this enhancement is on track to be included in WordPress 3.8.

More Password Wishlist Items

The Simple User Password Generator plugin is excellent but it doesn’t take into account editing your own password at profile.php, which is just as important as setting up new user passwords. It would be helpful to include its capabilities on this screen for changing passwords.

Hopefully the new addition will be extensible so that other plugins can make use of it. It would be nice to be able to easily add this to BuddyPress front-end password management in the settings screen via a plugin.

Ultimately, maintaining a strong password is the responsibility of the user. Do you think that WordPress users would, on the whole, be better served with a built-in password generator? Given that there are already many third party services such as LastPass, 1password and others that can do this in the browser, should we be adding this to the core?

14 Comments


  1. Interesting idea and something I tend to lean towards. Even though it’s our responsibility to create our own strong passwords, I think this would be good. Having worked with tons of new users and beginners, this option, although might be passed over by some, would just make it easier to auto-generate a new one rather than spend even the extra few seconds coming up with their own. Overall, we would have better ends results than we do now.

    Report


  2. Lets say i am the admin to this site and I send Jeff his strong password.

    What’s to stop him from changing the password to somethimg simple to remember?

    What about the option of forcing people to change passwords every x days? It must be at least 50% strong.

    It is good idea to change passwords every so often.

    Report


  3. If anything it should be a word based password generator. Like the comic: http://xkcd.com/936/ thats what I do life is much easier since.

    Report


  4. I’m in favour of adding this to Core. With all of the security issues and attack scripts, good password security is truly a Core issue, and what better way to educate users than creating and showing them good passwords?

    Report


  5. I use LastPass, and all of my passwords are generated by it, so I won’t see any effect. Ultimately, I think adding a password generator to core is a step in the right direction. The strength meter helps to make people aware of the issue of password security, so it is only natural that we should provide a generator to help them confront the issue.

    I’d really like to see WordPress force all users to have strong passwords by default (with the ability to disable), or at least all administrators.

    Report


  6. It’s a tricky one. It would be helpful, but is it really something WordPress should do?

    We do also have Apple’s iCloud Keychain now too. That only helps Mac users, I know, but it’s worth mentioning.

    Report


  7. I think it’s a good idea. We often see that lots of people pick terrible passwords and as developers in an age where sites are constantly being pounded by potential hackers secure passwords are a no-brainer first line of defence. The cPanel apprroach is good, and making users tick the ‘I have copied this password in a safe place’ is a nice touch.

    Report


  8. I use LastPass to generate my passwords and prefer using their memorable option since it is a lot cleaner and then I throw in a few special characters and numbers to increase the strength.

    But, for those who don’t have LastPass or use a similar password generator, then it’s a good option to have one for WordPress. The only issue is if it creates a very scrambled password like cPanel. You’ll need to write it down or put it into a password manager.

    Report


  9. I think that a login limiter to limit the number of allowed login attempts would be a more useful feature to add to core.

    Report


  10. There’s also my WP Password Generator, which includes the functionality missing from Simple User Password Generator :)

    Report


  11. Well, the password strength meter is there so the password generator would be a nice addition to that. I’m in favor of a password generator that ONLY creates STRONG passwords but I don’t want WordPress to tell me that I need a strong password to continue. That would be annoying for local dev environments.

    Report


  12. Unless I hallucinated the entire event, doesn’t wordpress.com have a strong random generator built into it’s signup process?

    If it’s good enough for .com, it’s good enough for .org :)

    Like Ajay, I already use LastPass to handle password generation so this won’t matter much to me, but given how many 123456 passwords are probably still in rotation I wouldn’t mind seeing this.

    Report

Comments are closed.