[wp-trac] [WordPress Trac] #37604: 'Password Lost/Changed' emails should give indication of the strength of the new password
WordPress Trac
noreply at wordpress.org
Mon Apr 9 13:18:36 UTC 2018
#37604: 'Password Lost/Changed' emails should give indication of the strength of
the new password
-----------------------------------+-----------------------------
Reporter: lovingboth | Owner:
Type: feature request | Status: new
Priority: normal | Milestone: Future Release
Component: Security | Version: 3.7
Severity: normal | Resolution:
Keywords: has-patch 2nd-opinion | Focuses:
-----------------------------------+-----------------------------
Changes (by birgire):
* keywords: needs-patch => has-patch 2nd-opinion
Comment:
I was just curious how this could be implemented, since the password
strength is estimated in Javascript.
[attachment:37604.diff] is POC implementation just to see if it would be
possible:
- Adds the password strength score via JS to a hidden input on the reset
password form.
- Validates the score input value in PHP after the form has been
submitted.
- Adds the score to the {{{'validate_password_reset'}}} action. (if one
would like restrictions based on the score).
- Adds a score input to the functions {{{reset_password()}}} and
{{{wp_password_change_notification()}}}.
- Adds the password strength information to the password change
notification.
There's a PHP implementation [https://github.com/bjeavons/zxcvbn-php
here], but I didn't look into that option.
The score has these possible values:
{{{
result.score # 0, 1, 2, 3 or 4 if crack time is less than
# 10**2, 10**4, 10**6, 10**8, Infinity.
}}}
https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-
estimation/
Then WordPress also adds the values {{{-1}}} (unknown) and {{{5}}}
(mismatch) in {{{wp-admin/js/password-strength-meter.js}}}.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/37604#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list