WordPress.org

Ready to get started?Download WordPress

Forums

Password complexity verification flawed in WordPress 3.7 (13 posts)

  1. benjaminrwalsh
    Member
    Posted 5 months ago #

    Attention WordPress developers:

    Password "padding" is a highly effective method for making complex passwords that are easy to remember. Consider the example password "88888KaT_88888" which registers as "weak" according to WordPress 3.7. That is NOT a weak password. It contains upper and lower case letters with symbols, and is over 14 characters long without any dictionary words!

    It is a pain to require ridiculously complex passwords -- there's no need for this. I don't want to spend all day resetting and typing passwords when it's completely unnecessary.

    WordPress 3.7's password complexity check is flawed.

  2. It's not requiring, its suggesting.

    And that password is not secure because it's repeating characters in a row. See http://askleo.com/so-is-a-long-password-of-repeating-characters-good-or-not/ for some information about it. It's an argument as to how secure that 88888KaT_88888 would be. I'd say too many 8s would be easy for someone to snipe over a shoulder, but I used to work at a bank, and they're neurotic.

  3. benjaminrwalsh
    Member
    Posted 5 months ago #

    Actually, in my case it was requiring. That's what was frustrating.

    WordPress would not let me use a weak password. I've also tested passwords that are very complex containing both numbers, upper and lower case letters, symbols, and over 20 characters long, and WordPress thought these were "very weak". The verification logic is definitely flawed. I can show you examples of *ridiculously* strong passwords that WordPress thought were weak.

    The article you referenced is referring to using one sequential character, which is not what I'm talking about. Good point about "snipe" type vulnerability, but you would have to be very good to guess my password example watching me type it at 80 WPM.

    In my case, all my WordPress sites limit login attempts so requiring overly complex passwords doesn't help anything.

    If a password is too complex to remember, you have to type it or store it somewhere so you can remember what it is. In my opinion, that's MORE of a vulnerability than having a password that's complex but uses some sequential "padding" so that it's easier to remember.

  4. Andrew Nevins
    Barrel Rider, Spam Zapper & Volunteer Moderator
    Posted 5 months ago #

    Is this about WordPress really? It sounds like the general problem of how to remember complex passwords securely.

    Personally I use LastPass.

  5. catacaustic
    Member
    Posted 5 months ago #

    WordPress by itself doesn't require or force you to use a "strong" password. I've only ever seen that from security plugins that make that rule.

    This doesn't mean that the verification process doesn't get the strength value correct every time. It's all based on an algorythm that's part of the WordPress core. The best thing about that is that you can see exactly what it's doing, exactly where it's getting the strength value from, and if it's not working correctly, you can file a bug or even create a patch yourself to make it work correctly.

  6. benjaminsumner
    Member
    Posted 5 months ago #

    The new criteria for 'strong' password on 3.7.1 is something with such complexity that it can't be easy to remember. If it's not easy to remember, it gets written down in plain sight. If it gets written down in plain sight, it's not 'strong' at all, now, is it? Does the software take that into account with its grading system? Nope. Now, imagine managing dozens of contributors and requiring them to succumb to this. Admins would be unlocking accounts and resetting passwords all day. It would be a nightmare.

    WordPress.org and password security folks can defend the 'strong' criteria all they want, but this change will definitely cause confusion and far more work for a lot of people. And no, not a single one of these accounts had been hacked with these so-called 'weak' passwords.

  7. Andrew Nevins
    Barrel Rider, Spam Zapper & Volunteer Moderator
    Posted 5 months ago #

    If it's not easy to remember, it gets written down in plain sight. If it gets written down in plain sight, it's not 'strong' at all, now, is it?

    Have you heard the argument of writing it down on a piece of paper as opposed to on the Web or a computer?

    And no, not a single one of these accounts had been hacked with these so-called 'weak' passwords.

    I wouldn't rely on your successful experience of weak passwords, weak passwords in general are easier to discover.

    Nope. Now, imagine managing dozens of contributors and requiring them to succumb to this

    Is that happening with the new update of WordPress or something? I'm asking because I don't know if WordPress forces you as I can't remember being forced to do this.

    WordPress.org (the community) is being more assertive with its perception (I'm not judging whether right or wrong) of security for the large proportion of the Web that their software is on, so they may overrule dislike from its users if the resulting change does more good than harm.

  8. benjaminsumner
    Member
    Posted 5 months ago #

    Have you heard the argument of writing it down on a piece of paper as opposed to on the Web or a computer?

    I was talking about a piece of paper. But even that is an office no-no. Lock it up? Sure. But remember who the users are - dozens of contributors in an office, some in their 70s. Not easy to enforce.

    I wouldn't rely on your successful experience of weak passwords, weak passwords in general are easier to discover.

    'password' or '12345' is a 'weak' password. Now, WordPress thinks aL123sk!#1 is a weak password, though it used to show as strong. Quite a jump.

    Is that happening with the new update of WordPress or something? I'm asking because I don't know if WordPress forces you as I can't remember being forced to do this.

    Depending on the configuration, it can. Regardless, considering the client, telling them that aL123sk!#1 is a weak password is essentially telling them to try again. Confusion. Forgotten passwords. Lost productivity. More work. Not good.

    so they may overrule dislike from its users if the resulting change does more good than harm.

    That's actually refreshing to hear. Got a hard enough time getting folks to remember minimum 10-character passwords with at least one of each upper/#/special character. But definitely looking for alternatives in the meantime as to not confuse folks by telling them aL123sk!#1 is weak and therefore unacceptable.

  9. clendanielc
    Member
    Posted 4 months ago #

    Why not introduce two factor authentication?

  10. esmi
    Theme Diva & Forum Moderator
    Posted 4 months ago #

    There are plugins that can offer this.

  11. clendanielc
    Member
    Posted 4 months ago #

    Why not have it built in? If one of the main causes of a WP site hack is because of bad Administrator or User passwords, why not prevent it by having it built into WP?

    Just a thought.

  12. catacaustic
    Member
    Posted 4 months ago #

    That's really plugin territory. The biggest reason is that there's no single two-factor solution that's going to work on every WordPress installation on every server no matter what the configuration is. Anything that's even close would be extremely combersome and annoy more people then it helps.

    As far as weak passowrds go, there's only so much you can do to save users from themselves. It doesn't matter what you add in, someone will get it wrong or do it insecurely. That's just how people work and it's just about impossible ot program against "stupid".

  13. tsdexter
    Member
    Posted 4 months ago #

    If you want a super secure password that is easy to remember, just use a sentence with spaces.

    For example, excluding the quotes the following passwords meet WP 3.7+ security for "strong" rating:

    "I was born in 1986"
    "My dog is 7 years old"
    "I drive a 2013 GTR"

Reply

You must log in to post.

About this Topic

Tags