How, exactly, does Wordfence check password strength?

  • Resolved ellmann creative

    (@ellmanncreative)


    4 years, 1 month ago

    I mean, WP uses some sort of hashing, right? Shouldn’t that make it pretty much impossible to check the password outright?

    Also, your password check seems to translate in the log (sometimes) regardless of the translation setting, like so:

    
[Feb 28 10:30:10] Done host key check.
[Feb 28 10:30:10] Done examining URLs
[Feb 28 10:30:10] Rozpoczęcie sprawdzania siły hasła dla 1 użytkownika.
[Feb 28 10:30:29] Unable to determine version for plugin js_composer
[Feb 28 10:30:30] Examining URLs found in the options we scanned for dangerous websites
[Feb 28 10:30:30] Done examining URLs

    – but that’s just a heads-up.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    4 years, 1 month ago

    Hi @ellmanncreative,

    Thanks for the mention of the translation during the log.

    WordPress does hash passwords but that doesn’t guarantee safety for passwords being comprised of dictionary words, known passwords for specific email addresses in data breaches (see https://haveibeenpwned.com), first/last name, username, email or even domain name. We check for that kind of thing slipping through the net when a user has created an account.

    Provided you have 2FA and reCAPTCHA enabled for your administrative accounts (as also recommended by WordPress themselves) then you should be in a strong position. Longer, complex passwords as generated by a password manager that aren’t duplicated with any other sites are also recommended.

    Thanks,

    Peter.

    Thread Starter ellmann creative

    (@ellmanncreative)

    4 years, 1 month ago

    Okay, but how does Wordfence check the strength of a password it can’t read? I mean the password strength check during a scan, not during account creation (and possibly password change).

    • This reply was modified 4 years, 1 month ago by ellmann creative. Reason: rewritten for clarity
    Plugin Support wfpeter

    (@wfpeter)

    4 years ago

    Hi @ellmanncreative,

    Dictionary words, common phrases, exposed passwords from data breaches can be compared from their plain text version against a WordPress hashed password by using WordPress’ password functions. Notably, wp_check_password() can do this without exposing the encrypted password back to us or anybody else. If they don’t match with anything considered insecure then nothing will be flagged for your attention.

    Thanks again,

    Peter.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘How, exactly, does Wordfence check password strength?’ is closed to new replies.

  • 3 replies
  • 2 participants
  • Last reply from: wfpeter
  • Last activity: 4 years ago
  • Status: resolved