[wp-hackers] On overly-obscure passwords

John Blackbourn johnbillion+wp at gmail.com
Wed May 5 09:53:55 UTC 2010

The new passwords that are generated by WordPress when you go through
the "forgot your password" process are overly obscure and are
confusing for some users. An example of a password generated by
WordPress is "vRC0jaq$t^Mv".

I've now encountered three clients of mine who have not proceeded to
log in to WordPress with this password as they were confused by it or
thought that something had gone wrong. I understand that the more
obscure a password is, the harder it is to crack, however in this case
I think these overly obscure passwords are having a negative effect on
user experience. Surely a password such as "f3nDTwp2" is obscure
enough, without the added non-alpha-numeric characters?

I think the use of wp_generate_password() in the password recovery
process should be changed so that special characters are not used. It
may even be desirable to introduce another parameter to this function
so that only lowercase letters are used in this case.



More information about the wp-hackers mailing list