[wp-trac] [WordPress Trac] #37604: 'Password Lost/Changed' emails should give indication of the strength of the new password
WordPress Trac
noreply at wordpress.org
Tue Aug 9 07:53:55 UTC 2016
#37604: 'Password Lost/Changed' emails should give indication of the strength of
the new password
-----------------------------+-----------------------------
Reporter: lovingboth | Owner:
Type: feature request | Status: new
Priority: normal | Milestone: Future Release
Component: Security | Version: 3.7
Severity: normal | Resolution:
Keywords: needs-patch | Focuses:
-----------------------------+-----------------------------
Comment (by lovingboth):
"I quite like this idea."
Me too :)
"Is email a secure medium for transmitting that information?"
If your site's email is compromised / being sniffed by an attacker, you're
already stuffed because typically the user's login reset details have just
been emailed. (If all of your email is compromised, you're even more
stuffed!)
Plus emailing the current message already says 'here's a username and
they've just changed their password.. so it's quite possibly not very good
- get brute forcing it!' (Especially as there's no brute force protection
in WordPress without installing a plugin or doing something at the server
level.)
"maybe it'd help to include a link in the email so that admins can reset
weak passwords to strong ones with a single click"
It would be a useful addition, if it doesn't delay the main change
happening.
(I'd prefer a setting in core, set by default, that stops any 'very weak'
password being used in the first place, but that's for another feature
request...)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/37604#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list