[wp-trac] [WordPress Trac] #25174: Expand zxcvbn user_input blacklist
WordPress Trac
noreply at wordpress.org
Thu Aug 29 15:47:08 UTC 2013
#25174: Expand zxcvbn user_input blacklist
-------------------------+--------------------
Reporter: iandunn | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: 3.7
Component: Security | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch |
-------------------------+--------------------
Comment (by iandunn):
Yeah, and that'd have an extra benefit of making sure we're blacklisting
the most current values for those fields, in cases where the user updates
usermeta at same time as the password.
We could also get the site url and title from the DOM, but we'd miss the
following items:
* Site description
* admin_email
* If the current user is editing another user, we wouldn't have the
current user's:
1. user_login,
1. user_nicename
1. user_email
1. user_url
1. first_name
1. last_name
1. description
So, is it worth the tradeoff? I'd personally err on the side of making the
entropy score more accurate, even at the expense of a little bit of
performance. Passwords are possibly the weakest link in the security
chain, so educating users about what makes one strong is very important;
and since changing a password is an infrequent occurrence, the performance
impact won't be felt very often (if it's even noticeable). I can see the
other side, though.
Or should we go with a hybrid approach? The PHP side could do the minimal
amount of work to collect the data that only it can get, then pass that
off to the client side. Then a JS function could add in all of the data
that it has access to, and do all of the processing to clean up the array
before it gets used. That way we'd get both the previous usermeta values,
and the current ones.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/25174#comment:3>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list