[wp-hackers] On overly-obscure passwords

Peter Westwood peter.westwood at ftwr.co.uk
Wed May 5 16:54:46 UTC 2010

On 5 May 2010, at 10:53, John Blackbourn wrote:

> The new passwords that are generated by WordPress when you go through
> the "forgot your password" process are overly obscure and are
> confusing for some users. An example of a password generated by
> WordPress is "vRC0jaq$t^Mv".
> I've now encountered three clients of mine who have not proceeded to
> log in to WordPress with this password as they were confused by it or
> thought that something had gone wrong. I understand that the more
> obscure a password is, the harder it is to crack, however in this case
> I think these overly obscure passwords are having a negative effect on
> user experience. Surely a password such as "f3nDTwp2" is obscure
> enough, without the added non-alpha-numeric characters?
> I think the use of wp_generate_password() in the password recovery
> process should be changed so that special characters are not used. It
> may even be desirable to introduce another parameter to this function
> so that only lowercase letters are used in this case.
> Opinions?

The important thing is to have a good secure option that is easy to use.

If the users are struggling with the current solution is it really the character set used or maybe it is more around the wording in the email or the process steps.

I don't see how reducing the character set down is going to significantly improve the user experience - most people with just copy and paste the password.

Peter Westwood
http://blog.ftwr.co.uk | http://westi.wordpress.com
C53C F8FC 8796 8508 88D6 C950 54F4 5DCD A834 01C5

More information about the wp-hackers mailing list