[wp-trac] [WordPress Trac] #35817: Force users to set strong passwords
WordPress Trac
noreply at wordpress.org
Sun Mar 26 21:16:58 UTC 2017
#35817: Force users to set strong passwords
----------------------------+------------------------------
Reporter: ericlewis | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Administration | Version:
Severity: normal | Resolution:
Keywords: 2nd-opinion | Focuses: ui
----------------------------+------------------------------
Comment (by lovingboth):
Replying to [comment:17 robdxw]:
> Replying to [comment:9 lovingboth]:
> > '''Anyone who is NOT an admin should not get to choose what the lowest
acceptable password strength is''', 'please confirm you want to use a
rubbish password' prompt or not.
>
> I tend to agree with this. By default, the current WordPress set up is:
whoever sets the worst password controls how secure the site is. That
seems fundamentally wrong - it should be the admin who controls how secure
the site is, not anybody else. If the admin is happy for weak passwords to
be in use, that's possibly a different matter, but they should at least
have control over that decision.
Quite. Particularly given the 'at least one a year' user privilege
escalation exploits that WordPress has had since the beginning.
See also [https://core.trac.wordpress.org/ticket/37604] which is a request
that the "Password Lost and Changed for user: [username]" emails to site
owners contain WordPress's estimate of the strength of the new password.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/35817#comment:18>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list