23 Comments

  1. Joseph

    Hi Sarah,

    It could be out of topic, but I notice that since today, if I share post from your website on Facebook, the featured image doesn’t appear any more. The problem seems to be started only today, and I notice on other WP site too. Any idea what could be the problem?

    Report

  2. Unai

    I can’t recall what service it was, but I remember singing up on some website that had a really cool feature for the passwords. It would tell you how much time would it take to crack you pass, just like https://howsecureismypassword.net/

    For example:

    123456 — 2 seconds
    P4ssword — 15 hours
    a$Dfy@d{u*f78-a — 4 trillion years

    I can imagine any other system more fun and simple. It would also make a lot of people think twice about their passwords. I’d love to see that feature on a future WordPress update.

    Report

    • Armin Grewe

      That’s at least partially meaningless though. The problem in the vast majority of cases is not the strength of the password. In almost all cases it’s not the password that’s cracked. Either the password was obtained by some sort of phishing attack or they found their way into the system by some other means and stole the complete password database or other data.

      It also seems to assume a brute force attack. A decent system would lock you out after a certain number of attempts or create (longer and longer) intervals to slow down any attack like that.

      While complex passwords are important they are also overrated. I have no idea how difficult it would be to integrate features like the ones mentioned into WordPress, but I should think they would be much more helpful than reminders about complex passwords.

      Also nothing stops people using their WordPress password in all kinds of other places, where the password database might be stolen and cracked. Which then in turn is used to gain access to other places including possibly your WordPress account.

      Report

      • Unai

        Totally agree. I was just suggesting a better system than the one proposed by Jaquith: “Simple feedback like ‘too short — add more characters!'”.

        But you’re right, there are better ways to improve security.

        Report

      • Rick

        Thats 100% on the money. Weak installations, previous security matters all can result in data compromised. Its actually one of the areas I love about .NET is security and roles are in the .NET framework and can be as coarse or granular as a developer wants it to be. There is no reason to “roll your own” as its already in there. Same “now” with MVC and SEO etc, there is really no reason to go outside the framework itself as it can do anything one wants it to really do all in a solid unified codebase.

        Report

    • Hardik Nagar

      Results are weird though. The password “administrator” would take 19 years to crack, how foolish.

      Report

  3. Alessandro Tesoro

    It’s interesting reading about the passwords changes. However something’s not clear to me. If WordPress will not send the password via email anymore, how will the user know it’s auto-generated password?

    Report

  4. Rick

    The problem tends to be how many usernames and passwords people have. Many are used and people eventually “huddle” into sites they like. So if someone loves cooking sites, recipes. They may sign up for 100 sites over two years but actually only frequent a handful. Yet, uIDs’ and Pwd’s are all over the place at 400 sites over the past 4 years.

    One cant remember “ASwerfs34wd” for this site, “adkahtndvmASD343” for that site and password managers are a pain and a keylogger or network capture hack malware is hard to defend against.

    What we recommend people generally do is setup an email address at Yahoo or GMX or other free mail operations. Use that email as a base email address when signing to new sites. In as far as UserID’s go, use memorable permutations. For example, this is WPTavern. Whats my favorite color? Blue. Whats my computer? A Gateway. Whats my favorite number? 54. My favorite animal, a dog. My passwords will always have permutations of these elements. The first three letters of the site will always be “lower/upper/lower case” and be at the start or the end of the password.

    A password permutation might be “wPt54GatewaY” or “GatewaYBluewPt”

    Use one set of permutations for new signup sites (ones I dont know if I’d hand out at) and make the criteria different. aka: My favorite video game of all time, favorite number, favorite coffee and favorite color.

    If one decides to make it a frequent romp then move it to the main email address and change the password to the first form permutation.

    One can refine it more, “54” will always precede or be after the “three letter site name” so at Amazon lets say, “aMa54BlueDog” or “54aMaDogBlue” or “DoGBluEaMa54”

    Just a simply formula and odd’s of getting beaned due to some hack be that on the PC or via a site exposing data via being hacked are very very neutralized.

    We do recommend for eCommerce that an additional piece or two pieces be added such as the first 4 digits/numbers in a drivers license for example affixed to the front or back of the password.

    Report

  5. Peter Cralen (@PeterCralen)

    I am not fan of usernames at all. Its unnecessary. The best for me is email and password what I choose, without restriction. On some sites I just use simple password what I remember and its not important to be too secure.
    Generated passwords are crapy for me, user still have to change it, there are many unnecessary steps. I think – email and password, works the best. Each additional step makes me nervous.
    On sites where “hard” password is required I have usually problem and need to reset password many times ;)

    Would be nice if core WordPress implement something really basic, who will want more secure site or something additional can always use some plugin for extend it.

    Report

  6. Juergen | dare2go.com

    Instead of better passwords the first step should be, that the name of the admin account is NOT shown anywhere in the source code anymore! My admin name is probably as strong as other peoples’ passwords. But then (if you post as admin) you get on top of each post a line with the “entry-author”, which in source code displays a link to the name of the admin account! I deleted the corresponding line of code from my theme…

    Report

  7. Chriss Benitez

    I think we have seen that coming about improving WP touch devices and that stuff, thing I found needed nowdays

    Report

  8. Chris Kirby

    Has anyone studied the effects of adding reCAPTCHA or Honeypot, etc to the WordPress login to combat these issues?

    Report

  9. Akpan Promise

    It is not all about the shiny interface, or design.
    WE want wordpress to be as flexible as possible. And personally, I want wordpress to incorporate schema.org as well

    Report

  10. Tomppa

    I have never ever heard of hacker who cares about your password. Passwords are supposed to be easy for you to use, hackers have other means and guessing passwords is not what any real hacker have ever done. Please, please and please, leave my passwords alone and move on.

    Report

    • Tom J Nowell

      Hackers don’t guess passwords, they write a simple program and give it a dictionary and let the program guess the passwords, and set them off crawling the web. You can test every 8 character password possible in seconds on a standard PC these days.

      I also remember several cases of people being hacked by children at school who guessed passwords…

      Passwords are easy to crack precisely because they’re meant to be easy for people like you. They don’t work if they’re not hard, and no amount of please will change that

      Report

Comments are closed.

%d bloggers like this: