Strong password enforcement not accepting ‘Strong’ passwords

  • I have strong password enforcement enabled but when an admin attempts to set a new password that rates “Strong” in the password meter it still rejects the password as not strong upon trying to save it. We had a password that was 11 characters, included caps, lowercase, numbers and symbols. It showed as strong but still rejected at save. Adding 2 more numbers to it got it accepted.

Viewing 3 replies - 1 through 3 (of 3 total)

  • Hi,

    Do you have any other plugins that also enforce strong passwords or enhance security on your site? Typically passwords should be at least twelve characters long, so that may have been your issue.

    Thanks,

    Matt
    iThemes.com

    Thread Starter curlypinky

    (@curlypinky)

    Hi Matt,
    No other password security plugins installed, just iThemes.
    Is it WordPress or iThemes that sets the rules for strength on the password strength meter? The meter said it was strong at 11 characters so the user was getting hung up trying to save that. Indeed going to a 13 character password passed and allowed them to save a new password, but they had to call for support because they were hung up on the meter telling them the shorter password was strong enough.
    Thanks,
    Alane

    Is it WordPress or iThemes that sets the rules for strength on the password strength meter?

    Kind of both.
    The WordPress Password Strength Meter is a javascript implementation of the external zxcvbn library (version 4.4.1 is included in the latest WordPress release).
    You can find the script as wp-includes/js/zxcvbn.min.js

    To enforce strong passwords the iTSec plugin adds a custom zxcvbn PHP port in order to able to perform server validation (better-wp-security/core/lib/itsec-zxcvbn-php/readme.md).

    I’m pretty sure that the password strength results of a given password by zxcvbn javascript versus its custom PHP port is not always the same. Hence your issue.

    Probably the zxcvbn custom PHP port included with the iTSec plugin needs an update … If I’m correct it’s still based on an old version of the zxcvbn javascript library …

    Another possibility is that there are bugs in iThemes zxcvbn custom PHP port that need to be fixed.

    Either way, provide iThemes with a solid testcase and I’m sure they will fix/update it.

    To prevent any confusion, I’m not iThemes.

    • This reply was modified 5 years, 3 months ago by nlpro.
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Strong password enforcement not accepting ‘Strong’ passwords’ is closed to new replies.