Strong password not enforced, weak password not detected in scan

  • Resolved thyelton

    (@thyelton)


    11 years, 1 month ago

    I created a user (Subscriber) with a strong password then logged in as that user and successfully changed its password to a four letter password – not prevented by Wordfence though set to require strong passwords for all. Logged out and logged back in using the weak password to verify that it had actually changed.

    Then ran Wordfence scan to check for weak passwords and it detected none.

    Also: I set the WF scan to only do the password check so that it would run quickly. But it scanned all the files (many gigabytes) of files anyway.

    Running WordPress 3.8 and Buddypress

    https://www.ads-software.com/plugins/wordfence/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Wordfence Security

    (@mmaunder)

    Hi,

    The password check is not comprehensive because it’s very resource intensive to reverse engineer passwords after they’ve been created. So we check a few basic common bad passwords for low level users and do a more extensive check for higher level users.

    Regards

    Mark.

    I’m also running Buddypress, and activated a new user registration with a simple four-letter password. So this was missed in the password CREATION process. Am I missing something? I definitely have the Enforce Strong Passwords option selected.

    Thanks
    Bridie

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Strong password not enforced, weak password not detected in scan’ is closed to new replies.