[wp-trac] [WordPress Trac] #40149: WordPress password strength checking is improved, but the hint now doesn't help
WordPress Trac
noreply at wordpress.org
Tue Mar 14 00:37:08 UTC 2017
#40149: WordPress password strength checking is improved, but the hint now doesn't
help
-------------------------+-----------------------------
Reporter: arjenlentz | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 4.7.3
Severity: normal | Keywords:
Focuses: |
-------------------------+-----------------------------
WordPress 4.7 has vastly improved password strength checking.
This is great.
However, the password hint function wp_get_password_hint() provides
information that's essentially contradicting the approach that the
password checker uses.
Mind that the check tool now used (built by someone at Dropbox) takes into
account that (for instance) random word phrases are easy to remember as
well as difficult to crack, while using upper/lowercase and letter->digit
substitution are easy to crack while being more of a hassle to remember.
Ref also the famous XKCD cartoon on this topic: https://xkcd.com/936/
What does the WP Core default string read?
{{{
'Hint: The password should be at least twelve characters long. To make it
stronger, use upper and lower case letters, numbers, and symbols like ! "
? $ % ^ & ).'
}}}
Yes we can override this using the 'password_hint' filter, however I think
it'd be great to provide a better base text for default installs.
Proposed new text:
{{{
'Hint: longer is stronger (at least 12 characters), and consider using a
sequence of random words (ideally non-English).'
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/40149>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list