[wp-trac] [WordPress Trac] #40234: Do not allow weak passwords
WordPress Trac
noreply at wordpress.org
Wed Mar 22 17:12:22 UTC 2017
#40234: Do not allow weak passwords
-------------------------------------+------------------------------
Reporter: robdxw | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 4.3
Severity: normal | Resolution:
Keywords: 2nd-opinion ux-feedback | Focuses:
-------------------------------------+------------------------------
Comment (by iandunn):
I think something like this can easily backfire if it's not done very
thoughtfully, and from a user-first perspective. Anything that places too
high a burden on the average user will just push them to use insecure
workarounds to relieve that burden, like writing the password down on a
post-it note stuck to their monitor.
I agree with [https://blog.codinghorror.com/password-rules-are-bullshit/
Jeff Atwood's recent article on the topic], which seems to be in line with
WordPress' general philosophy. He references
[https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-
what-you-need-to-know/ NIST's latest recommendations] to back up his
argument. His conclusion was that the only rule that is effective and
user-friendly is length.
If we are going to add any hard rules, then I think it might be helpful to
first educate users about the reasons why strong passwords are important,
and offer easy ways for them to use them (#40237). That way they'll be
more likely to be receptive to any rules.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/40234#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list