[wp-trac] [WordPress Trac] #28910: Password strength meter reporting 'Very Weak' for decent(?) password
WordPress Trac
noreply at wordpress.org
Tue Jul 15 18:02:35 UTC 2014
#28910: Password strength meter reporting 'Very Weak' for decent(?) password
--------------------------+------------------------------
Reporter: philipjohn | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 3.9.1
Severity: normal | Resolution: invalid
Keywords: | Focuses:
--------------------------+------------------------------
Changes (by iandunn):
* status: new => closed
* focuses: ui =>
* resolution: => invalid
Comment:
WordPress uses [https://github.com/dropbox/zxcvbn zxcvbn] to measure
password strength, so the best place to report this is directly to them.
I'm not sure there actually is a problem, though. I think most password
strength meters are 5+ years behind current cracking technology, and
`On3Hydra10!` is weak by todays standards (versus a strong password like
`HsqZu247 at 8,PMA at 74&r=}+63({&4w9`). I wouldn't be surprised if the `!` at
the end is being penalized because it's so predictable.
It's extremely common for people to tack on a symbol at the end of a
password, and `!` is one of the most commonly used symbols. Hackers know
that, and build their cracking tools accordingly. The fact that removing
it improved the grade could reveal a lack of nuance in zxcvbn's algorithm,
but at the end of the day I wouldn't recommend using either of those
passwords.
It's much better to [http://en.support.wordpress.com/selecting-a-strong-
password/ use a randomly generated password, along with a password
manager] to make it convenient.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/28910#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list