[wp-trac] [WordPress Trac] #21737: Users should have to jump through hoops to set passwords of their choosing, and we should guard better against weak passwords

WordPress Trac wp-trac at lists.automattic.com
Thu Aug 30 04:07:17 UTC 2012 

#21737: Users should have to jump through hoops to set passwords of their choosing,
and we should guard better against weak passwords
-----------------------------+-----------------------------
 Reporter:  markjaquith      |      Owner:
     Type:  feature request  |     Status:  new
 Priority:  normal           |  Milestone:  Awaiting Review
Component:  Security         |    Version:
 Severity:  normal           |   Keywords:
-----------------------------+-----------------------------
 People are terrible at choosing secure, unique, complex, unguessable
 passwords. Unless someone is using a password storage system, the chances
 are good that the passwords they're choosing are really weak.

 We can mitigate this problem.

 1. Let's make the default to always be that WordPress picks a password for
 you. When installing WordPress, or when creating a new user account, or
 when changing your password on your profile. The default should be that we
 generate a secure password for the user. They can remember it, write it
 down (not ideal, but generally more secure than choosing a weak password),
 or copy and use it once, check the "remember me" box, and not worry about
 it until their cookie expires on that computer.

 2. If they do opt to manually create a password, we need to do better than
 our current password strength meter. And the lowest level should actually
 nag them with an AYS before they proceed. I suggest the following, to
 start, which would trigger the lowest level, and cause them to have to
 dismiss a warning (or check a checkbox... UI TBD) before continuing:

 * compare the strtolower'd version of their password to strtolower'd
 versions of all their info (username, first/last name, part of e-mail
 address before the @, etc).
 * any password that is shorter than 8 characters
 * a blacklist of popular passwords (these lists are available... even
 grabbing the top 100 would give use good coverage)
 * 3 or more consecutive digits ("123456" and company are very popular)
 * anything that looks like a date

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/21737>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list