[wp-hackers] Limit Login Attempts

Otto otto at ottodestruct.com
Tue Apr 16 16:48:48 UTC 2013


On Tue, Apr 16, 2013 at 10:46 AM, Marko Heijnen <mailing at markoheijnen.nl> wrote:
> ... checking the password strength ...

Determining password strength is a surprisingly difficult thing to do
properly. The current password strength indicator in core is kinda
lame. It's okay for me to say that, since I wrote it. :) It's just a
basic bit-strength check. Sort of the lowest end form of check. Not
perfect, but better than what we had before.

The underlying problem is that modern brute force attacks are built
based on the large lists of passwords that have been released over the
last few years, and so you can do much better than random with them by
using dictionary based attacks, since it's now know that most people
use dictionary based passwords.

Dropbox made a library a year ago to do better password checking (
https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/
) and I implemented it as a plugin yesterday (
http://wordpress.org/extend/plugins/zxcvbn/ ), but if you'll notice,
this thing has 700k of dictionary in it. Way too big for core.

I don't have a solution, just a few references to help clarify the problems.

-Otto


More information about the wp-hackers mailing list