[wp-trac] [WordPress Trac] #31772: Browser unresponsive with long password

Sun Mar 29 21:29:07 UTC 2015

#31772: Browser unresponsive with long password
--------------------------+--------------------------------------
 Reporter:  BevanR        |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Users         |     Version:  4.1.1
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:  javascript, performance
--------------------------+--------------------------------------

Comment (by chriscct7):

 Repeating values of 0's are perfectly secure if there's alot of them.
 Let's say I don't know your password, and I have no preconcieved notions
 of what it could be. I don't know it, but your password is 32 repeating
 0's. So how do I figure out your password? Brute force. The entropy
 required to bruteforce a string where it can contain upper/lower
 characters, special characters and numbers is incredibly high. Even if I
 knew your password only contained digits, it would still take me 32
 quintillion years using the most powerful commonly accepted publically
 known brute force algorithims. So it's secure, even if to a user it
 doesn't seem secure. Repeating characters are only a concern when the
 number of digits is small or constricted. For example 0000 on an iPhone is
 insecure because I can brute force it quickly but also I know your
 password has to be numbers, and there has to be exactly 4 of them (if you
 use the number pin on older editions), and also 0000 is a common password.
 If I have no clue what your password length is, particularly when its
 long, 512 0's is no more secure than this randomly generated 512 character
 password

 {{{
 yK&pF=W4B&w!XMrf:nuuMg8 at c*=F)t.t[B;F*zj~Cf::B>%gxj(@YK>p-v6RDQRV%T{2](.Tq7sg^;]{z}Y{e<P/FB/<GvM4TX5VH$zz$Xk<Bj,HbUu7fc\vY\$!2cCK}b{RWs~Hx);dUz)N?-J]uk@?R'$%,P,f`LnA at Gj"_mx9`eEm&u]mn4-vw_T~gpEJ%LAkW6~(uDk(^&'6L]&Ud3>]a~\qA`x-te&x&eR,Z;/27y=H<GLT#uS~=>^)Jdr*t5cA[,>E7m:qq/q)=:U#~bZ!c+\3AH&RyWMJW_%Zzg<Z$^]JS:.Q)SKDJ'k~b?Tu;zEP=Z}8}#g/]<s!%=V:>JhfsdC{T!\^@L2}%nas5rD:q<UP$a^WJFr5zkKm~6$YA&8_$bpp>W$w\4X{z$*<r-rBv/}X^R-H!_{}3jqR7?Ub%feQa(^]`q[@~<9N=/u[h6VCG~=Vg&/snH~zmq<W~ZehzEb}W{hy<)A3X4(L7;tX>6etr+ubN3)C>E=wNc%]
 }}}

 Above roughly 20 characters, the entropy required to brute force makes
 repeating characters or even using English words in passwords irrelevant.
 If my password is the word "cat" repeated 55 times, its still going at
 least require tens of billions of years to break.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/31772#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform