• benjaminrwalsh

    (@benjaminrwalsh)


    Attention WordPress developers:

    Password “padding” is a highly effective method for making complex passwords that are easy to remember. Consider the example password “88888KaT_88888” which registers as “weak” according to WordPress 3.7. That is NOT a weak password. It contains upper and lower case letters with symbols, and is over 14 characters long without any dictionary words!

    It is a pain to require ridiculously complex passwords — there’s no need for this. I don’t want to spend all day resetting and typing passwords when it’s completely unnecessary.

    WordPress 3.7’s password complexity check is flawed.

Viewing 15 replies - 1 through 15 (of 16 total)
  • Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    ?????? Advisor and Activist

    It’s not requiring, its suggesting.

    And that password is not secure because it’s repeating characters in a row. See https://askleo.com/so-is-a-long-password-of-repeating-characters-good-or-not/ for some information about it. It’s an argument as to how secure that 88888KaT_88888 would be. I’d say too many 8s would be easy for someone to snipe over a shoulder, but I used to work at a bank, and they’re neurotic.

    Thread Starter benjaminrwalsh

    (@benjaminrwalsh)

    Actually, in my case it was requiring. That’s what was frustrating.

    WordPress would not let me use a weak password. I’ve also tested passwords that are very complex containing both numbers, upper and lower case letters, symbols, and over 20 characters long, and WordPress thought these were “very weak”. The verification logic is definitely flawed. I can show you examples of *ridiculously* strong passwords that WordPress thought were weak.

    The article you referenced is referring to using one sequential character, which is not what I’m talking about. Good point about “snipe” type vulnerability, but you would have to be very good to guess my password example watching me type it at 80 WPM.

    In my case, all my WordPress sites limit login attempts so requiring overly complex passwords doesn’t help anything.

    If a password is too complex to remember, you have to type it or store it somewhere so you can remember what it is. In my opinion, that’s MORE of a vulnerability than having a password that’s complex but uses some sequential “padding” so that it’s easier to remember.

    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    Is this about WordPress really? It sounds like the general problem of how to remember complex passwords securely.

    Personally I use LastPass.

    catacaustic

    (@catacaustic)

    WordPress by itself doesn’t require or force you to use a “strong” password. I’ve only ever seen that from security plugins that make that rule.

    This doesn’t mean that the verification process doesn’t get the strength value correct every time. It’s all based on an algorythm that’s part of the WordPress core. The best thing about that is that you can see exactly what it’s doing, exactly where it’s getting the strength value from, and if it’s not working correctly, you can file a bug or even create a patch yourself to make it work correctly.

    benjaminsumner

    (@benjaminsumner)

    The new criteria for ‘strong’ password on 3.7.1 is something with such complexity that it can’t be easy to remember. If it’s not easy to remember, it gets written down in plain sight. If it gets written down in plain sight, it’s not ‘strong’ at all, now, is it? Does the software take that into account with its grading system? Nope. Now, imagine managing dozens of contributors and requiring them to succumb to this. Admins would be unlocking accounts and resetting passwords all day. It would be a nightmare.

    www.ads-software.com and password security folks can defend the ‘strong’ criteria all they want, but this change will definitely cause confusion and far more work for a lot of people. And no, not a single one of these accounts had been hacked with these so-called ‘weak’ passwords.

    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    If it’s not easy to remember, it gets written down in plain sight. If it gets written down in plain sight, it’s not ‘strong’ at all, now, is it?

    Have you heard the argument of writing it down on a piece of paper as opposed to on the Web or a computer?

    And no, not a single one of these accounts had been hacked with these so-called ‘weak’ passwords.

    I wouldn’t rely on your successful experience of weak passwords, weak passwords in general are easier to discover.

    Nope. Now, imagine managing dozens of contributors and requiring them to succumb to this

    Is that happening with the new update of WordPress or something? I’m asking because I don’t know if WordPress forces you as I can’t remember being forced to do this.

    www.ads-software.com (the community) is being more assertive with its perception (I’m not judging whether right or wrong) of security for the large proportion of the Web that their software is on, so they may overrule dislike from its users if the resulting change does more good than harm.

    benjaminsumner

    (@benjaminsumner)

    Have you heard the argument of writing it down on a piece of paper as opposed to on the Web or a computer?

    I was talking about a piece of paper. But even that is an office no-no. Lock it up? Sure. But remember who the users are – dozens of contributors in an office, some in their 70s. Not easy to enforce.

    I wouldn’t rely on your successful experience of weak passwords, weak passwords in general are easier to discover.

    ‘password’ or ‘12345’ is a ‘weak’ password. Now, WordPress thinks aL123sk!#1 is a weak password, though it used to show as strong. Quite a jump.

    Is that happening with the new update of WordPress or something? I’m asking because I don’t know if WordPress forces you as I can’t remember being forced to do this.

    Depending on the configuration, it can. Regardless, considering the client, telling them that aL123sk!#1 is a weak password is essentially telling them to try again. Confusion. Forgotten passwords. Lost productivity. More work. Not good.

    so they may overrule dislike from its users if the resulting change does more good than harm.

    That’s actually refreshing to hear. Got a hard enough time getting folks to remember minimum 10-character passwords with at least one of each upper/#/special character. But definitely looking for alternatives in the meantime as to not confuse folks by telling them aL123sk!#1 is weak and therefore unacceptable.

    clendanielc

    (@clendanielc)

    Why not introduce two factor authentication?

    esmi

    (@esmi)

    There are plugins that can offer this.

    clendanielc

    (@clendanielc)

    Why not have it built in? If one of the main causes of a WP site hack is because of bad Administrator or User passwords, why not prevent it by having it built into WP?

    Just a thought.

    catacaustic

    (@catacaustic)

    That’s really plugin territory. The biggest reason is that there’s no single two-factor solution that’s going to work on every WordPress installation on every server no matter what the configuration is. Anything that’s even close would be extremely combersome and annoy more people then it helps.

    As far as weak passowrds go, there’s only so much you can do to save users from themselves. It doesn’t matter what you add in, someone will get it wrong or do it insecurely. That’s just how people work and it’s just about impossible ot program against “stupid”.

    If you want a super secure password that is easy to remember, just use a sentence with spaces.

    For example, excluding the quotes the following passwords meet WP 3.7+ security for “strong” rating:

    “I was born in 1986”
    “My dog is 7 years old”
    “I drive a 2013 GTR”

    The password strength indicator would be better to say ‘this is how safe the writer of this algorithm thinks your password is…’

    A feedback button/comments to the writer of the algorithm might allow users to express their frustration with this opinionated algorithm, which has alas been enforced by wpengine.

    It might simply be a bit of a flawed system. I created a non-sensical password just now with over ten letters and a mix of capitals and numbers but it was classified as “Very Weak”, which seems wrong.

    This is an old thread, but I still want to chime in. I’ve tried some very complex combinations of characters for a password, even just closed my eyes and hit keys at random. I’ve used combinations of upper, lower, characters, numbers and still it gets tagged as very weak. Sometimes I can get a “strong” by a very long sequence of such garbage or sometimes even a short one. There are a lot of things that fail the test that shouldn’t. It took me an hour to come up with something I could remember and that passed as “strong”.

    I know that a strong password isn’t required by WordPress, but a few good plugins do. I ought to be able to create a memorable, strong password in a whole lot less than an hour.

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘Password complexity verification flawed in WordPress 3.7’ is closed to new replies.