[wp-trac] [WordPress Trac] #40234: Do not allow weak passwords
WordPress Trac
noreply at wordpress.org
Wed Mar 22 11:10:45 UTC 2017
#40234: Do not allow weak passwords
-------------------------------------+------------------------------
Reporter: robdxw | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 4.3
Severity: normal | Resolution:
Keywords: 2nd-opinion ux-feedback | Focuses:
-------------------------------------+------------------------------
Description changed by SergeyBiryukov:
Old description:
> As noted previously (https://core.trac.wordpress.org/ticket/21737),
> people are notoriously bad at choosing secure passwords. And passwords
> protect not only the integrity of the individual account but also the
> integrity of the system as a whole.
>
> Therefore, allowing users to set weak passwords (even if they are nagged
> for doing so) compromises the security of any site that is running
> WordPress with the default password settings.
>
> This could be mitigated by simply not allowing passwords that do not meet
> at minimum the "medium" strength requirements, or at least providing a
> site or network-wide checkbox setting to enforce such a policy.
New description:
As noted previously (#21737), people are notoriously bad at choosing
secure passwords. And passwords protect not only the integrity of the
individual account but also the integrity of the system as a whole.
Therefore, allowing users to set weak passwords (even if they are nagged
for doing so) compromises the security of any site that is running
WordPress with the default password settings.
This could be mitigated by simply not allowing passwords that do not meet
at minimum the "medium" strength requirements, or at least providing a
site or network-wide checkbox setting to enforce such a policy.
--
--
Ticket URL: <https://core.trac.wordpress.org/ticket/40234#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list