Strength meter criteria are inaccurate

  • Resolved kalleaume

    (@kalleaume)


    2 years, 6 months ago

    In this post, you mentioned: “We have fixed the Strong Password issue and released the update. With a Minimum of one uppercase letter, a number, a special character, and it must be eight characters”. However, I have downloaded the latest version of the plugin (Version 3.0.1) and my testing confirmed that this is not the case.

    As an example, I registered with the password ‘Happy58!’ which meets all the above criteria. It contains eight characters, an uppercase letter, a number and a special character. However, the password strength meter still shows ‘Weak’ and does not allow the user to register with this password (Submit button was deactivated).

    I tested many other options and the strength meter only showed ‘Strong’ when I used a password with 11 characters, not 8 characters. For example, when I used ‘Happy58!BDX’, the strength meter showed ‘Strong’ and the Submit button was activated.

    Could you please advise how we can address this issue?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter kalleaume

    (@kalleaume)

    2 years, 6 months ago

    No need to worry about fixing this issue because the 11-character requirement is more secure than the 8-character requirement anyway So we’re happy to stick with the 11-character requirement.

    However we can simply update the translation for the validation message shown to users which reads: “Hint: Minimum one uppercase letter, a number. a special character and must beat least 8 characters”. We can simply update ‘8 characters’ to read ’11 characters’ using a translation plugin and the problem is fixed!

    Thread Starter kalleaume

    (@kalleaume)

    2 years, 6 months ago

    @shresthauzwal Actually, I have found that this password criteria does not consistently require 11 characters. It seems to depend on the combination or order of characters selected.

    In my testing of 8-character passwords, I could not find any that are accepted. Do you have an example of an 8-character password that is accepted?

    In my testing of 9-character passwords, I found that the following password is not accepted:
    ‘Happy581!’
    But this 9-character password is accepted:
    ‘H5a8p!py1’ (same characters as above, but in a different order).

    Are you able to clarify please what the exact password requirements are for a strong password?

    • This reply was modified 2 years, 6 months ago by kalleaume.
    Plugin Support Amrit Kumar Shrestha

    (@shresthauzwal)

    2 years, 6 months ago

    Hi @kalleaume,

    Regarding the strength meter, our password validation process involves two steps. First, we utilize the library used by WordPress (https://github.com/dropbox/zxcvbn) to determine whether the password is strong. Only after the library confirms the strength do we apply our own strength meter validation. If the library indicates a strong password, we proceed with our validation, which includes checking for an uppercase letter, a number, a special character, and a minimum length of 8 characters. Therefore, if a password does not meet these criteria, it is considered weak.

    Please note that we are primarily conducting additional validations. However, passwords like “Happy58!” may contain common words such as “Happy,” which the library identifies as weak. In such cases, our weak password validation will be triggered, while the strong password validation will not be executed.

    To clarify, I will modify the displayed text as follows:
    “The password must contain at least one uppercase letter, one number, one special character, and have a minimum length of 8 characters. Additionally, it should not contain any common or repetitive words.”

    Regards!

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Strength meter criteria are inaccurate’ is closed to new replies.