In a previous post I discussed the importance of Password Security, both in terms of creating a strong password as a user, and encrypting them as a site administrator. In this post I’ll cover the ins and outs of the password strength score in WordPress and WooCommerce.
The New Password Requirements
Back in October 2013, with the release of WordPress 3.7 we saw the introduction of the password strength meter on our sites. While there is no requirement to meet a minimum strength, the feature is meant to encourage users to reevaluate their password, increasing security for both themselves and the site.
More recently with the release of WooCommerce 2.5 the password strength meter was added to the customer registration process and requires a minimum score of “strong” before allowing a user to register. This caused some debate in the development community as passwords there where previously acceptable, no longer met these standards.
What was Wrong with the Old Way
Traditionally password strength is judged by password length and the number of acceptable characters used (letters, numbers, symbols, etc.). This makes sense; essentially for each character of length a password has you multiply by the number of characters available for use (lowercase alphabet, lowercase + uppercase, symbols, etc.).
It turns out this strength estimation is imperfect, as humans tend to follow some common patterns when creating passwords. These are often common words, spatial, repeating or sequential patterns, such as “qwerty”, “aaaaa” or “12345”, as well as patterns in capitalization and numbers and punctuation substitution for letters. While these are common techniques that we’ve been told make for a stronger password, they often make it more difficult for a person to remember then for a computer to guess.
WordPress uses the zxcvbn a password strength tool developed by Dropbox, to generate a more realistic password strength estimation. The tool scores passwords based on the on several factors such as the use of common words, patterns, capitalization, use of numbers or punctuation as well as checking it against a list of thousands of commonly used passwords.
While this may make it more difficult for users creating a password it encourages the creation of a much stronger password. A good example of this is one of the most common passwords “Password1”. This would be viewed as an acceptable password by a freighting number of sites. However, WordPress rates it “Very Week” and the zxcvbn password test estimates that it would take only 4 seconds for a computer guessing 10 passwords a second to crack.
In conclusion common password requirements of just contains a certain character set and meet a minimum length often do not come close to secure. This is a bad habit we have learned as users and taught as developers. We often think if these low standards are meet our information is secure when in fact we have created a false sense of security.
The addition of this advanced password test in WordPress and the strength requirement in WooCommerce customer accounts are steps in the right direction. While it will take time for us as users to unlearn some bad habits, it will make the internet and your business safer in the long run.