ClassicPress PetitionsClassicPress Petitions
This is a read-only archive. Post or comment on the live version of this page on our forums.

Please add 'Enforce strong passwords' and 'Password Expiry' to the core.

September 8, 2018 · 02:28 · Martin Malden
Description

These 2 features are often included in bigger plugins (Wordfence, iThemes Security, etc) but they should be core features so new users have to use them from the outset. Thanks!

Voters
+24 more
Tags
Difficulty: Easy
Request: Add feature
Discussion
Rudy Brinkman

Strong passwords: yes.
Password Expiry: if possible, make it at least a reasonable period. Like at least 3 months.

Malcolm Alexander Peralty

Make expiry something you can set and have it let you know when it is close to needing to be reset.

KTS915

The problem with this is that the notion of "strong passwords" that those plugins embrace is simply false. Passwords are not made stronger by the use of esoteric characters. In fact, the simplest way to make passwords stronger is just to make them longer, without any need for caps or punctuation. It's a simple matter of math(s).

So I can't support this idea if that's what's involved here. On the other hand, if you simply want to set a minimum length of password (say at 12 or 15 characters), then I'd be fine with that, and it's then a simple matter of HTML with no need for PHP or JavaScript. Because all that's needed (at least with any modern browser) is to include minlength="12" or minlength="15" in the password input field: https://caniuse.com/#search=minlength

Wade Striebel

An alternative is default support for HIBP (https://haveibeenpwned.com/API/v2) that checks for passwords that have been seen in breaches.

KTS915

It's also not clear to me what the security benefit is to requiring regular changes of password. Security plugins often trade on fear to drum up usage, so I'd need to see some evidence that requiring regular password changes achieves something worthwhile.

Without such evidence, all I can see this achieving would be annoying everyone. After all, who likes having to change their password frequently?

Martin Malden

Setting a minimum length for passwords would work, as would HIBP support. My point about changing passwords is to reduce the risk where people use the same password on all their online accounts. But I do accept that people may only change 1 character (e.g. lowercase to uppercase) and then use the original version again later in the sequence, which wouldn't bring much benefit.

Malcolm Alexander Peralty

I like the idea of explaining that longer passwords are more secure and giving the example of three four letter words that have no connection like mikecatsrump or lampbeefidea are better passwords than p4ssw0rd!

KTS915

>I like the idea of explaining that longer passwords are more secure and giving the example of three four letter words that have no connection like mikecatsrump or lampbeefidea are better passwords than p4ssw0rd!

A colleague of mine makes a point of saying that regularly. I think it's a great idea.

Jeff Starr

I vote leave this feature as a plugin. There are several plugins that already do this. Don't bloat core with anything that could be left as a plugin.

Fabian Wolf

xkcd.com explains this principile wonderfully: https://www.xkcd.com/936/

KTS915

>I vote leave this feature as a plugin. There are several plugins that already do this. Don't bloat core with anything that could be left as a plugin.

If you are referring to the idea of making users use esoteric characters, etc, then you're right. However, specifying a minimum length of password in HTML is the very opposite of creating bloat. There would be no PHP or JS to process, and the protection provided would mean that there would be, in the vast majority of cases, no reason to use a security plugin on top.

John

I agree that longer passwords are more secure than shorter passwords, however, don't agree with the notion that esoteric characters are pointless. The larger the set of characters from which to construct a password, the more permutations that are possible. More permutations = more secure. That said, I'd leave it up to site owners to decide how strong (or weak) their users passwords are.

Ian

"Don't bloat core with anything that could be left as a plugin."

The problem is that a very large proportion of sites do not install plugins, and certainly not security ones. CP needs to be more secure by default.

At the very least, admin users should be able to say 'no passwords rated less strong than (level)'.

I /think/ the current test accepts very long alpha-only passwords as being strong, but if not, it should...

Pedro de Carvalho

Password expiry is not such a good security measure. Some literature: https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry

James Nylen

Putting a minimum password length in HTML is not enough because it is easily overridden. The length needs to be validated on the server side as well, as with any other type of user input.

This minimum length should also be an option. I don't see any problem with that.

Andy Gee

I am in favor of enforcing users to have strong password by default however absolutely against a password expiry of any kind being default or even an option.
Here's why:
https://www.schneier.com/blog/archives/2016/08/frequent_passwo.html