[wp-trac] [WordPress Trac] #40237: Educate users about modern password best-practices

WordPress Trac noreply at wordpress.org
Wed Mar 22 17:00:52 UTC 2017 

#40237: Educate users about modern password best-practices
-------------------------+-----------------------------
 Reporter:  iandunn      |      Owner:
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  Security     |    Version:
 Severity:  normal       |   Keywords:
  Focuses:               |
-------------------------+-----------------------------
 We've done several things over the past few years to encourage users to
 use stronger passwords, but we've never tried to educate them about
 ''why'' it's important. It's obvious to most of us, but I think it's
 common for the average user to think things like, "Why would anybody want
 to hack into this small site I created for a non-profit?"

 If someone doesn't understand ''why'' having a strong password is
 important, they're not going to be motivated to take any steps in that
 direction, and they may respond to any attempts to push them in that
 direction by adopting insecure workarounds to avoid it, like post-it notes
 stuck to their monitor with the password they reuse on all sites.

 It seems like educating users about the risks of weak passwords, and easy
 ways to follow modern best practices, could be very effective.

 My first thought would be something like this:

 1. When a user is manually entering a password, if `zxcvbn` detects a low
 entropy score, then they're shown a message saying something like, `That
 password won't protect your account from hackers. Automated bots attempt
 to gain access to all accounts on the Web 24/7, no matter how small. Don't
 worry, though, there's an easy way to use very strong passwords, and
 you'll never have to type or remember them. Learn more.`
 1. Clicking on `Learn more` would reveal a modal with a brief explanation
 of how to use password managers, with a link to a longer article (maybe
 [https://en.support.wordpress.com/selecting-a-strong-password/ similar to
 WordPress.com's], but more .org-specific).
 1. The modal would also have a video embedded, since many people are more
 willing to watch a video than read a long article. We could put the video
 on WordPress.tv and subtitle it in all of the locales.

 That's just one idea though, does anybody have any others?

--
Ticket URL: <https://core.trac.wordpress.org/ticket/40237>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list