Feature Suggestion: Modern password policy

  • Resolved karlemilnikka

    (@karlemilnikka)


    3 years ago

    Hi.

    This is just a feature suggestion.

    The Frontend login module lets the administrator require members to choose “strong” passwords with at least eight characters including a mixture of uppercase and lowercase characters as well as a number. That’s quite an outdated password policy. Both the NIST and Microsoft recommend not requiring passwords with a mixture of character types.

    “Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets.”

    – NIST Special Publication 800-63B (Digital Identity Guidelines Authentication and Lifecycle Management), page 14. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

    “Advice to IT Administrators /—/ Eliminate character-composition requirements.”

    – Microsoft Password Guidance. https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf

    Please consider adding a modern password policy as an option. A toggle to display the entered password on the password reset page (instead of entering the password twice) would also, in combination with WordPress’ ZXCVBN strength meter, be a great addition.

    Finally, thanks for including support for the WP 2FA plugin!

Viewing 1 replies (of 1 total)
  • Plugin Author Uncanny Owl

    (@uncannyowl)

    Hi @karlemilnikka , this is great and helpful feedback. I have discussed it with our team and added it to our roadmap, but I can’t confirm an ETA for release right now (though tentatively I would target Q1, probably not before end of year).

    We will tentatively mark this closed, as it’s not an open support ticket, but we wanted to confirm we have actioned this internally.

Viewing 1 replies (of 1 total)
  • The topic ‘Feature Suggestion: Modern password policy’ is closed to new replies.