These 2 features are often included in bigger plugins (Wordfence, iThemes Security, etc) but they should be core features so new users have to use them from the outset. Thanks!
Strong passwords: yes.Password Expiry: if possible, make it at least a reasonable period. Like at least 3 months.
Make expiry something you can set and have it let you know when it is close to needing to be reset.
The problem with this is that the notion of "strong passwords" that those plugins embrace is simply false. Passwords are not made stronger by the use of esoteric characters. In fact, the simplest way to make passwords stronger is just to make them longer, without any need for caps or punctuation. It's a simple matter of math(s).
An alternative is default support for HIBP (https://haveibeenpwned.com/API/v2) that checks for passwords that have been seen in breaches.
It's also not clear to me what the security benefit is to requiring regular changes of password. Security plugins often trade on fear to drum up usage, so I'd need to see some evidence that requiring regular password changes achieves something worthwhile.
Without such evidence, all I can see this achieving would be annoying everyone. After all, who likes having to change their password frequently?
Setting a minimum length for passwords would work, as would HIBP support. My point about changing passwords is to reduce the risk where people use the same password on all their online accounts. But I do accept that people may only change 1 character (e.g. lowercase to uppercase) and then use the original version again later in the sequence, which wouldn't bring much benefit.
I like the idea of explaining that longer passwords are more secure and giving the example of three four letter words that have no connection like mikecatsrump or lampbeefidea are better passwords than p4ssw0rd!
>I like the idea of explaining that longer passwords are more secure and giving the example of three four letter words that have no connection like mikecatsrump or lampbeefidea are better passwords than p4ssw0rd!
A colleague of mine makes a point of saying that regularly. I think it's a great idea.
I vote leave this feature as a plugin. There are several plugins that already do this. Don't bloat core with anything that could be left as a plugin.
xkcd.com explains this principile wonderfully: https://www.xkcd.com/936/
>I vote leave this feature as a plugin. There are several plugins that already do this. Don't bloat core with anything that could be left as a plugin.
If you are referring to the idea of making users use esoteric characters, etc, then you're right. However, specifying a minimum length of password in HTML is the very opposite of creating bloat. There would be no PHP or JS to process, and the protection provided would mean that there would be, in the vast majority of cases, no reason to use a security plugin on top.
I agree that longer passwords are more secure than shorter passwords, however, don't agree with the notion that esoteric characters are pointless. The larger the set of characters from which to construct a password, the more permutations that are possible. More permutations = more secure. That said, I'd leave it up to site owners to decide how strong (or weak) their users passwords are.
"Don't bloat core with anything that could be left as a plugin."
The problem is that a very large proportion of sites do not install plugins, and certainly not security ones. CP needs to be more secure by default.
At the very least, admin users should be able to say 'no passwords rated less strong than (level)'.
I /think/ the current test accepts very long alpha-only passwords as being strong, but if not, it should...
Password expiry is not such a good security measure. Some literature: https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry
Putting a minimum password length in HTML is not enough because it is easily overridden. The length needs to be validated on the server side as well, as with any other type of user input.
This minimum length should also be an option. I don't see any problem with that.
I am in favor of enforcing users to have strong password by default however absolutely against a password expiry of any kind being default or even an option.Here's why:https://www.schneier.com/blog/archives/2016/08/frequent_passwo.html