These 2 features are often included in bigger plugins (Wordfence, iThemes Security, etc) but they should be core features so new users have to use them from the outset. Thanks!
Read-only archive : Issues · ClassicPress/ClassicPress · GitHub
Author : Martin Malden
Vote count : 30
Status : open
Tags :
request-add-feature
difficulty-easy
Comments
Strong passwords: yes.
Password Expiry: if possible, make it at least a reasonable period. Like at least 3 months.
~ posted by Rudy Brinkman
The problem with this is that the notion of “strong passwords” that those plugins embrace is simply false. Passwords are not made stronger by the use of esoteric characters. In fact, the simplest way to make passwords stronger is just to make them longer, without any need for caps or punctuation. It’s a simple matter of math(s).
So I can’t support this idea if that’s what’s involved here. On the other hand, if you simply want to set a minimum length of password (say at 12 or 15 characters), then I’d be fine with that, and it’s then a simple matter of HTML with no need for PHP or JavaScript. Because all that’s needed (at least with any modern browser) is to include minlength=“12” or minlength=“15” in the password input field: Can I use... Support tables for HTML5, CSS3, etc
~ posted by KTS915
It’s also not clear to me what the security benefit is to requiring regular changes of password. Security plugins often trade on fear to drum up usage, so I’d need to see some evidence that requiring regular password changes achieves something worthwhile.
Without such evidence, all I can see this achieving would be annoying everyone. After all, who likes having to change their password frequently?
~ posted by KTS915
Setting a minimum length for passwords would work, as would HIBP support. My point about changing passwords is to reduce the risk where people use the same password on all their online accounts. But I do accept that people may only change 1 character (e.g. lowercase to uppercase) and then use the original version again later in the sequence, which wouldn’t bring much benefit.
~ posted by Martin Malden
I like the idea of explaining that longer passwords are more secure and giving the example of three four letter words that have no connection like mikecatsrump or lampbeefidea are better passwords than p4ssw0rd!
~ posted by Malcolm Alexander Peralty
I vote leave this feature as a plugin. There are several plugins that already do this. Don’t bloat core with anything that could be left as a plugin.
If you are referring to the idea of making users use esoteric characters, etc, then you’re right. However, specifying a minimum length of password in HTML is the very opposite of creating bloat. There would be no PHP or JS to process, and the protection provided would mean that there would be, in the vast majority of cases, no reason to use a security plugin on top.
~ posted by KTS915
I agree that longer passwords are more secure than shorter passwords, however, don’t agree with the notion that esoteric characters are pointless. The larger the set of characters from which to construct a password, the more permutations that are possible. More permutations = more secure. That said, I’d leave it up to site owners to decide how strong (or weak) their users passwords are.
~ posted by John
“Don’t bloat core with anything that could be left as a plugin.”
The problem is that a very large proportion of sites do not install plugins, and certainly not security ones. CP needs to be more secure by default.
At the very least, admin users should be able to say ‘no passwords rated less strong than (level)’.
I /think/ the current test accepts very long alpha-only passwords as being strong, but if not, it should…
~ posted by Ian
Putting a minimum password length in HTML is not enough because it is easily overridden. The length needs to be validated on the server side as well, as with any other type of user input.
This minimum length should also be an option. I don’t see any problem with that.
~ posted by James Nylen
This is 2 separate requests based on 2 different principles.
All the evidence seems to suggest that:
Websites’ strong password algorithms are all very well but there are other (easier to remember) ways of making strong passwords that may not get past a restrictive algorithm
Password expiry works against having strong passwords
I’d be in favour of a minimum length but that’s all.
5 Likes
Me too.
Requiring “strong” passwords, such as those with numbers and other symbols, would also require that users use a password manager, and not everyone does that.
Enforced password expiry is also a hassle for those who doesn’t want this feature.
2 Likes
viktor
June 24, 2022, 5:33pm
6
The consensus is that both enforcing strong passwords and password expiry go against security recommendations. But, there is support for minimum length. This petition will be closed, but a new petition for minimum length will be created.
1 Like
viktor
Closed
June 27, 2022, 5:33pm
7
This topic was automatically closed after 3 days. New replies are no longer allowed.