WordPress users who protect posts with passwords will soon have the option to make their passwords more secure. The upcoming 4.7 release brings resolution to a 12-year old ticket requesting an increase in the number of characters allowed for passwords on password-protected posts. Users will now be able to protect their posts with 255-character passwords, an increase from the previous 20 characters.
Security experts are still divided on whether complexity or length is more essential for password strength. Most of us have been told that more complex passwords are always more difficult to crack. However, a thought-provoking article on the Microsoft TechNet blog suggests that a required password complexity only prevents users from creating easy-to-guess passwords but has the negative affect of reducing the total number of possible passwords in a key-space.
The article explores a formula for calculating bits of entropy (the mathematical measurement, in bits, of how difficult it is to crack a password): log(C) / log(2) * L where C is the size of the character set and L is the length of the password. Using this formula, the article makes two conclusions:
- Mathematically, the LENGTH of the password is exponentially more important than the complexity of the character-set used.
- ANY complexity rule, to include defining a required number of numbers, letters, specials, etc., actually increases a password’s ability to be cracked.
With this formula in mind, WordPress contributors’ decision to increase the size of
wp_posts.post_password to 255 characters gives users the opportunity to create longer, more secure passwords.
“Longer passwords and passphrases are much more common than when post passwords were introduced all those eons ago, so let’s increase the length of the
post_password field from 20 to 255 characters,” Gary Pendergast said in the commit message. Since post authors expect to be able to view the passwords they assign to posts (and often don’t write them down), it will continue to be stored in plaintext.
This update only affects password-protected posts. WordPress user passwords don’t share the same length restrictions and can be upwards of 1,000 characters long if so desired.