[wp-hackers] On overly-obscure passwords

Otto otto at ottodestruct.com
Wed May 5 14:33:42 UTC 2010


Be real careful if you redefine that function. It's used for a lot
more than just those passwords.

Setting the special_chars parameter to default to false might be a
better way to go. That would prevent the punctuation from being in the
default passwords.

-Otto



On Wed, May 5, 2010 at 9:02 AM, Edward Dale <scompt at scompt.com> wrote:
> Passwords are generated using the wp_generate_password function
> defined in pluggable.php. You can override it by defining your own
> version somewhere, perhaps in your theme's functions.php. For example:
>
> function wp_generate_password($length = 12, $special_chars = true) {
>  return "random_password";
> }
>
> Cheers,
> Edward
>
> On Wed, May 5, 2010 at 11:57 AM, Baki Goxhaj <banago at gmail.com> wrote:
>> Even allowing the users to choose their own password on recovery process
>> would be really good.
>>
>> Personally I have not had such a reaction from any of my clients, but that
>> seems like something that needs some attention.
>>
>> Baki
>>
>> 00355 67 22 44 213
>> info at wplancer.com
>> www.wplancer.com
>>
>>
>> On 5 May 2010 11:53, John Blackbourn
>> <johnbillion+wp at gmail.com<johnbillion%2Bwp at gmail.com>
>>> wrote:
>>
>>> The new passwords that are generated by WordPress when you go through
>>> the "forgot your password" process are overly obscure and are
>>> confusing for some users. An example of a password generated by
>>> WordPress is "vRC0jaq$t^Mv".
>>>
>>> I've now encountered three clients of mine who have not proceeded to
>>> log in to WordPress with this password as they were confused by it or
>>> thought that something had gone wrong. I understand that the more
>>> obscure a password is, the harder it is to crack, however in this case
>>> I think these overly obscure passwords are having a negative effect on
>>> user experience. Surely a password such as "f3nDTwp2" is obscure
>>> enough, without the added non-alpha-numeric characters?
>>>
>>> I think the use of wp_generate_password() in the password recovery
>>> process should be changed so that special characters are not used. It
>>> may even be desirable to introduce another parameter to this function
>>> so that only lowercase letters are used in this case.
>>>
>>> Opinions?
>>>
>>> John
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list