[wp-trac] [WordPress Trac] #21737: Users should have to jump through hoops to set passwords of their choosing, and we should guard better against weak passwords

WordPress Trac noreply at wordpress.org
Mon Apr 15 18:20:45 UTC 2013 

#21737: Users should have to jump through hoops to set passwords of their choosing,
and we should guard better against weak passwords
-----------------------------+------------------------------
 Reporter:  markjaquith      |       Owner:  westi
     Type:  feature request  |      Status:  accepted
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Security         |     Version:
 Severity:  normal           |  Resolution:
 Keywords:                   |
-----------------------------+------------------------------

Comment (by iandunn):

 I remember reading somewhere that security researchers have come up with
 four authoritative algorithms for calculating the entropy of a password.
 Maybe it would be a good idea to start with one of those (and possibly add
 to it), rather than building one from scratch? I'm having trouble finding
 info on it again, though :(

 Here are some potentially helpful things I did find:
 * https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-
 estimation/
 * http://programmers.stackexchange.com/questions/167235/how-can-i
 -estimate-the-entropy-of-a-password
 * http://cubicspot.blogspot.com/2011/11/how-to-calculate-password-
 strength.html

 We could also borrow some existing code from something like KeePass.
 Their's is in
 [http://downloads.sourceforge.net/keepass/KeePass-2.22-Source.zip
 KeePassLib/Cryptography/QualityEstimation.cs]

 After calculating the entropy, we could then run some additional checks
 and knock off points for things that the entropy algorithm won't take into
 account, like commonly used passwords, the user's name, the site's domain
 name, etc.

 I'd suggest that a password need [http://pthree.org/2011/03/07/strong-
 passwords-need-entropy/ at least 72 bits] for it to be considered
 "strong".

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/21737#comment:17>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list