[wp-trac] [WordPress Trac] #32261: Security: Wordpress Admin/Backend: No Passwordlength is enforced = Big Security Risk

WordPress Trac noreply at wordpress.org
Tue May 5 22:19:45 UTC 2015 

#32261: Security: Wordpress Admin/Backend: No Passwordlength is enforced = Big
Security Risk
------------------------------+------------------------------
 Reporter:  iamwordimpressed  |       Owner:
     Type:  defect (bug)      |      Status:  new
 Priority:  normal            |   Milestone:  Awaiting Review
Component:  Security          |     Version:  4.2.1
 Severity:  normal            |  Resolution:
 Keywords:  close             |     Focuses:
------------------------------+------------------------------
Changes (by ericmann):

 * keywords:   => close


Comment:

 WordPress doesn't force security in this way. You could hook in and remove
 all passwords if you wanted to. Or could hook in and replace the default
 password setup with something like OAuth, LDAP, or ActiveDirectory. Every
 installation is different, and forcing a minimum (or maximum, or strong,
 or whatever) password on <em>everyone</em> is a quick way to hurt many end
 users who may or may not face the same requirements.

 Weak passwords are a potential security risk, true. But the onus of
 enforcing strong passwords is on the site administrator, <em>not</em> on
 the tool upon which they build a site.

 If you need to force long passwords, or strong passwords, or passwords
 with only alphanumeric characters, or whatever you're entirely welcome to
 do so. But that's not a use case that fits the majority of end users, so
 it likely won't be a change rolled into core. As it stands now, that kind
 of a change might actually prove destructive to the existing user base and
 do more harm than good.

 Instead, I highly recommend you look into existing plugin solutions like
 Force Strong Passwords (https://wordpress.org/plugins/force-strong-
 passwords/) that add an extra layer of security onto your password system
 if you need it.

 Some other systems add two-factor authentication as well. Others force
 passwords to expire on a sec schedule. The exact security requirements of
 your site and setup should dictate how you deal with passwords, not the
 software itself.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/32261#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list