WordPress.org

Support

Support » Plugins and Hacks » [Resolved] Password Strength settings

[Resolved] Password Strength settings

  • We have a client that requires the password complexity to not be so strong. This has probably been suggested before, but could there be the option for each rule with a series of tick boxes?

    • Minimum length (customizable)
    • Doesn’t match blog info
    • Doesn’t match user data
    • Must either have numbers, punctuation, upper and lower case characters or be very long. Note: alphabets with only one case (e.g. Arabic, Hebrew, etc.) are automatically exempted from the upper/lower case requirement.
    • Non-sequential codepoints
    • Non-sequential keystrokes (custom sequence files can be added)
    • Not in the password dictionary files you’ve provided (if any)
    • Decodes “leet” speak
    • The password/phrase is not found by the dict dictionary program (if available)

    I would expect this would be a welcomed feature and would also mean we wouldn’t need to look for an alternative solution.

    http://wordpress.org/extend/plugins/login-security-solution/

Viewing 15 replies - 1 through 15 (of 18 total)
  • Agreed, ease of use needs to come before security at times. Good suggestion.

    By the way, the plugin code is on github, so one could always fork it and make the necessary adjustments.

    Plugin Author Daniel Convissor

    @convissor

    I’ll think about it (some more).

    Hi, I’d like to add my vote to one aspect of this request: the ability to set the “Length” of the password (in the Password Policies section) to something less than 10, which is the current minimum length which this plugin allows.

    For me personally, a minimum length of 8 characters is sufficient on my site – 10 characters is too long.

    In any case, I think this should be something for the administrator (ie. me) to determine, and not have it forced on my by this (excellent, very useful) plugin. 🙂

    I would also like to see more password strength options. While the complexity is nice, some clients don’t want that much strength.

    I have been in a tussle with 150 members on our site who find the password security features too onerous given what information we’re ‘protecting’, so I too would value a greater degree of flexibility.

    yes i’d like that too! There are some clients out there where a password length <10 would be sufficient…

    also just letters/numbers… most of my clients do not like “.” in their pass phrases 🙂

    THANKS FOR THIS GREAT PLUGIN!

    Plugin Author Daniel Convissor

    @convissor

    the password security features [are] too onerous given what information we’re ‘protecting’

    The _vast_ majority of malware (etc) is spread via legitimate websites that have been compromised. Enforcing password strength is not about protecting your site’s data, it’s about protecting everyone on the Internet.

    That’s very true. But a minimum length of 10 characters is still overkill for most users, and for protecting against compromise. Eight characters is generally sufficient for most, and this is what WordPress itself uses for its “medium” password security level.

    In any case, I think it’s best when the administrators themselves can determine this based on their own security policies. The best solution would be for the plugin to default to 10 characters, and stay at 10 unless the admin chooses to override it. You could also add a warning, big flashing red letters etc to make sure the admin is aware of the consequences. 🙂

    …An effectively strong password, which is resistant against hacking, could only need 8 characters as long as it is made up of a good mix of upper case, lower case and numbers/symbols.

    …And leading websites like Google, Facebook, Microsoft, etc etc, allow for 8-character passwords too.

    One more vote for that. I’m working on a project with very precise security requirements. There’s a team of experts deciding exactly how things should work – and I’d love to be able to use your plugin while still complying with their recommendations.

    A couple of checkboxes would help a lot…

    (Thanks!)

    this issue is not resolved is it? Mr Daniel Convissor i understand your concern and i would like to keep the internet as maleware free as possible too… but there are people using the internet who might be a little older and cannot manage your password strenght settings…

    i tweaked your plugin to my own liking but i would really like to use it out of the box…

    please consider again …

    I would also like to see this option. I agree about the need for strong passwords, but for someone not using a password manager, its difficult when we try to force them into 10-digit passwords with different character combinations.

    I know for our site we have had to reconsider the plugin after numerous complaints from users. If we could have more control, we could still benefit from the plugin while keeping our paying customers happy.

    Thanks for the great plugin. I think it would be better to allow a minimum of 8 character passwords but default to 10. For sites with members it can be a battle to enforce 10 characters. We are actually seeing a dropoff in member signups when we have this plugin installed.

    Central Geek

    @central-geek

    I would agree, 10 characters is an excessive “requirement”. I have checked around and 8 characters, with the requirements this plugin imposes – and given the requirement also that the password cannot contain words that pertain to the user or the website, results in a well above average security measure.

    Please adjust the minimum requirement to 8 characters with the same conditions you require.

    Inclusion of a strength meter would be a great addition.

    Thanks for the plugin and the hard work you have put into this project. It’s not that the work isn’t appreciated, it is simply that the standards recognized on the internet as being secure are less than what you are requiring. And potential users / members are usually pretty much as concerned about the security of their account as we are. If they say 10 is too much and it lines up with what most everyone else says, why is it such a problem to make the adjustment?

Viewing 15 replies - 1 through 15 (of 18 total)
  • The topic ‘[Resolved] Password Strength settings’ is closed to new replies.