Inappropriate password rules

  • Resolved microscan5ep

    (@microscan5ep)


    1 year, 3 months ago

    Hi,

    Your password rules are enforcing the use of a mixture of uppercase, lowercase, numeric and symbols as well as a minimum length. This is now considered poor practice and in fact does NOT result is better/stronger passwords. I wonder if you have read the NIST guidelines?

    https://pages.nist.gov/800-63-3/sp800-63-3.html

    There is also a great cartoon that sums it up: https://xkcd.com/936/

    In a nutshell, forcing users to use all those different types of characters is a bad idea. It’s length that counts. Please could you reconsider your current password enforcement policy as it spoils what is otherwise a great WP plugin.

    Or at the very least, add an option that turns off the “extra” symbols and just enforces a length of at least 12 characters?

    Thank you

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @microscan5ep, thanks for your kind words about the plugin and suggestion on the improvements to our password strength rules.

    You’re absolutely correct in your observations that length is a key factor in password strength, especially against automated attacks, and we may consider implementing something like that in the future. We do expect to get some pushback on changing this and will only be able to commit to a release when we can be sure the information we can provide and solution we come to is a good fit for most of our customers.

    Keeping in mind that there are a lot of non-technical people running WordPress sites, if we didn’t keep some degree of character/case requirements there might be a decrease in quality of overall passwords in some cases. However, for the benefit of other folks searching the forums I’ll also mention the more roadblocks like reCAPTCHA and 2FA you put in front of gaining access, especially on your admin account(s), this is our best recommendation on top of a complex or very long password.

    We currently check some other things like sequences and repeated characters that would still be useful to prevent longer but repetitive (and easy to guess) passwords. WordPress itself still uses zxcvbn.js, but doesn’t enforce it if the user doesn’t want it.

    Many thanks,
    Peter.

    Thread Starter microscan5ep

    (@microscan5ep)

    Thanks for the reply Peter. Maybe you could have the current password checks on by default, but provide an advanced setting where they can be turned off individually?

    Absolutely agree with your comment re. 2FA, although I’m not a big fan of reCAPTCHA personally.

    Regards

    Plugin Support wfpeter

    (@wfpeter)

    An option could certainly be a good way to introduce a new requirement, so thanks again for your suggestion @microscan5ep.

    As we’re unable to provide ongoing development updates here on the forums, topics such as this will be marked as “resolved”. Please note that we don’t consider this the case internally and all development requests are logged separately for internal discussion with a view to bringing many to the plugin over time.

    Thanks again,
    Peter.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Inappropriate password rules’ is closed to new replies.

Tags