On Monday, Mark Jaquith confirmed that WordPress 4.3 will see an overhaul in the way passwords are generated.
The changes will encourage WordPress users to strengthen their login credentials, making their websites more secure. A stronger password will also make your website less vulnerable to brute force attacks.
The proposed updates focus on the way passwords are chosen, as well as changing some important default settings in the UI.
Let’s take a quick look at the four main points coming out of the proposal:
- WordPress will generate strong passwords by default. You can override this setting and create your own password, of course, but it will take an extra step. This should deter some users from using a manual password, which are typically weaker.
- Password inputted as plain text. This will reduce typos, make the second confirmation redundant, and show users the password generated for them.
- Help users choose better manual passwords. At present, WordPress analyzes your password strength on a scale from Very Weak to Strong. In 4.3, WordPress will actively help you make your password stronger (make the password longer, use an upper case character, use a special character, etc.)
- Double confirmation for weak passwords. If users ignore the password suggestions and proceed with a weak password, WordPress will display an ‘are you sure?’ loop. This will encourage some users go back and strengthen their password.
Defaulting to strong WordPress-generated passwords is a step in the right direction in my opinion. When asked to create a password, many users’ minds go blank; this results in them using a weak, vulnerable password.
For users wanting to generate their own passwords, a WordPress auto-suggest function would certainly encourage users to create stronger credentials—especially if we can highlight the risks of weak passwords.
Personally, I’m not too sure about the plain text passwords proposal, though. Many users login in the company of others, and this could be an unnecessary security risk.
It’s worth pointing out that many of these proposed changes were inspired by the WordPress.com UI. Take it for a test ride by following this link— it should give you an idea of how things might look in WordPress.org in the future.
As well as the four points covered above, the core team has also proposed these changes:
- Auto-generated passwords when creating accounts for other users
- Auto-generated passwords when resetting password
- Password reset links should expire after a short period of time
- Email notification of password/email changes (sent to the old email, of course)
Again these are all logical improvements, targeting weak passwords and security vulnerabilities.
Great work by the core team, as always—looking forward to a more secure 4.3!
What do you think to the proposed password changes in WordPress 4.3? Share your thoughts in the comments below!