Password Strength settings (revisited)

Hi Daniel,

Just saw there was an update to the plugin today – thanks!

Regarding the ongoing password strength issue – as you know there are quite a lot of folks asking if you will change the password requirements that your plugin enforces, which currently cannot be disabled.

Can you give us an update on whether you’re still considering this or not? So we know where you stand on the issue?

Incidentally, I was just reading this article which discusses the new password strength meter which WP 3.7 introduced – it’s now using Dropbox’s zxcvbn library which is a lot more accurate in deciding what makes a strong password. (There’s more info on this new library at Dropbox’s own blog, and they have a demo of it here.)

You can see from their description of this new library, and the demo, that it’s very accurate – the strength of a password is not simply based on the number of characters (like your plugin requires), but on much more complex factors. Therefore it’s possible to have a password under 10 characters which is considered “strong”, and a password over 10 characters (including numbers and upper/lowercase) which is still considered weak!

Based on this new library now used by WordPress, my suggestion or request for you, would be to completely remove your plugin’s own password complexity requirements (eg. certain number of characters), and simply rely on the password complexity settings built into WordPress now using this new library.

That means, if WordPress’s password strength meter (using the zxcvbn library) considers a password to be “strong” or even “medium”, then your plugin would allow it, but if WordPress considers it to be “weak” then your plugin would block it. So your plugin would merely be enforcing a certain strength, based on WordPress’s own algorithms – which is still a big advantage to us, because currently WordPress by itself does not enforce any kind of password strength.

When WordPress 3.7+ now does a great job already of determining what is a good password, I think there’s no reason for your plugin to “reinvent the wheel” by imposing additional requirements on top!

I would also request that the plugin allow us (the administrator) to choose what is the minimum level – either “medium” or “strong” (but not weak). You could make the default requirement “strong” but still allow it to be changed to “medium” if the admin really needs that due to his client’s requirements. That’s because a medium password is still a very good one. A medium password will still usually be 8-10 characters minimum and still need a good mix of numbers and characters and letters, even using the new zxcvbn library. So I think that is really the best solution, and a good balance for you, between giving some control back to the WordPress admin, but still enforcing a good level of security through your plugin.

What do you think?

By the way, I also noticed that when your plugin is enabled right now, it blocks or removes the WordPress strength meter on the User Profile page. Could you please allow the strength meter to be visible? It’s still very useful to see.

Thanks!!

http://wordpress.org/plugins/login-security-solution/