[wp-trac] [WordPress Trac] #21737: Users should have to jump through hoops to set passwords of their choosing, and we should guard better against weak passwords
WordPress Trac
wp-trac at lists.automattic.com
Thu Aug 30 04:07:17 UTC 2012
#21737: Users should have to jump through hoops to set passwords of their choosing,
and we should guard better against weak passwords
-----------------------------+-----------------------------
Reporter: markjaquith | Owner:
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Keywords:
-----------------------------+-----------------------------
People are terrible at choosing secure, unique, complex, unguessable
passwords. Unless someone is using a password storage system, the chances
are good that the passwords they're choosing are really weak.
We can mitigate this problem.
1. Let's make the default to always be that WordPress picks a password for
you. When installing WordPress, or when creating a new user account, or
when changing your password on your profile. The default should be that we
generate a secure password for the user. They can remember it, write it
down (not ideal, but generally more secure than choosing a weak password),
or copy and use it once, check the "remember me" box, and not worry about
it until their cookie expires on that computer.
2. If they do opt to manually create a password, we need to do better than
our current password strength meter. And the lowest level should actually
nag them with an AYS before they proceed. I suggest the following, to
start, which would trigger the lowest level, and cause them to have to
dismiss a warning (or check a checkbox... UI TBD) before continuing:
* compare the strtolower'd version of their password to strtolower'd
versions of all their info (username, first/last name, part of e-mail
address before the @, etc).
* any password that is shorter than 8 characters
* a blacklist of popular passwords (these lists are available... even
grabbing the top 100 would give use good coverage)
* 3 or more consecutive digits ("123456" and company are very popular)
* anything that looks like a date
--
Ticket URL: <http://core.trac.wordpress.org/ticket/21737>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list