How strong is your password?
No matter how good the software running on a website is, there is always the human factor. If your password is “test”, “1234”, “qwerty” or anything obvious then you are putting your blog at risk of having it hacked. For that reason the password change form on the profile page now checks how strong your password is.
A password can have four levels of strength:
- Too short
- Bad
- Good
- Strong
Please try to make your passwords “strong”, but we’ll accept “good” passwords too. It makes it a bit harder to change your password but the extra effort is worth it.
We’re using this code by Phiras. Thank you Phiras for making it available! I’m going to integrate this into WPMU soon as strong passwords are so important for site security.
Wow! It’s ages since I’ve made a post about a new feature here. There’s a good reason for that. My wonderful son Adam was born on April 21st and had a small bit to do with my lack of updates. I’m working on a few more things now so I’ll be back to blog about more goodies soon!
- June 7, 2007
- Features, New Features, Security, WordPress.com
WordPress.com News 
Congrats first……………….. wishing all good for your son…
password strength counter is a cool one.. 🙂 will this be available for self hosted blogs?
LikeLike
This is pretty good stuff.
By the way, Adam is sooo cute.
LikeLike
Good feature added..
LikeLike
Donncha, congratulations. Adam looks like a beautyfull baby.
Thanks for the concern about PWs. As an ex-geek, I recall promoting good passwords to people with whom I worked. It was a difficult sale.
I recommended using a readily memorable phrase, extracting the initial letters from it, and substituting numerals and punctuation for some of those letters. There are lots of illustrations on the Web of how to do this. Perhaps it will help some users to create secure passwords.
That said, I realize I’m using a relatively less secure PW. I ought to update mine.
Thanks, too, for the lesson in creating high key portraits!
LikeLike
If its WordPress, it has to keep getting better. No doubt WP beats the best in the biz.
Can this new feature be termed as a ‘User Generated’ one? If yes, I bet there’re 1,053,448 bloggers building WordPress.
LikeLike
thanks for the tip.
LikeLike
Μy password is “ebt76543jq”. I guess it’s very strong, isn’t it?
😉
LikeLike
Thank you for new improvement!!
LikeLike
I use a string of random letters and numbers for my password.
LikeLike
Congrats on the birth of your son. He’s a cutie!
LikeLike
Great thing, It was something I hope before
LikeLike
Thanks for the reminder about security. And congratulations!
LikeLike
Congratulations on your son’s birth~!
Regarding the password feature, this is excellent! It’s also nice to know that the password I’ve been using for quite some time now is considered strong.
Cheers!
LikeLike
Congrats !
LikeLike
Cute baby!
LikeLike
Two great new additions! Congrats and make sure to help mom get some sleepy time in. Pay now or PAY later 😉
LikeLike
pascal
, now that you’ve given us your password, it’s not that strong anymore. 😛
LikeLike
Good work! I remember once getting yelled at by customers that they needed any password at all to access their account details (incl credit cards!) and especially one that had so many rules on how to make a password. I don’t understand why people wanted their accounts to be so unsafe, and then whinge later if someone broke into their broadband (and actually got it turned off). *sigh* Anyway, smart thinking!
LikeLike
Take your time and enjoy your Son…ain’t nothing like the real thing Baby.
amm
LikeLike
I’d never tested my passwords, so it was interesting to give them a test 🙂 Thanks.
LikeLike
Your son is beautiful! Welcome back and thanks for the updates.
Babies are a gift from God! Praise the Lord for this amazing present and precious life He has given you.
P.S. I share the same birthday with Adam.
Blessings to you,
Scotti
LikeLike
Is it essential to change the password or are you just suggesting we should do it?
Congratulations for the birth of your son.
LikeLike
Strong Password, huh? How about $t0|\|ec0|_|)$te\/e@|_|$t||\|
and Congratulations for your li’l bundle of joy.
LikeLike
It’s helpful.
Congratulations!
LikeLike
Thanks for the update!
LikeLike
I don’t know what my passwords are. (Safer if I am deemed a terrorist and tortured. No information to give up.) ROBOFORM handles all my passwords for me. 🙂
LikeLike
Nice idea, but it has many weaknesses. It does not consider the possibility of dictionary attacks – it considers “0123456789” to be a good password. In reality, a dictionary attack would break it within quite a short time (I think about 20000 attempts at max.)
Additionally, I do not think this much paranoia is necessary. A bruteforce attempt against a password not in a dictionary, consisting of 6 random lowercase characters, using 10 attepts per second (and 36000 failed login attempts per hour on one blog would probably alert the admin team!), running for 10 days 24/7, would break the password with a probability of 3%. However, this password is still considered “bad”. Even an 8-lowercase-letter password is considered bad. The same bruteforce attack, running for a whole year, would have a 0.15% chance of breaking the password!
If anyone wants to hack some blogs, he is going to do a simple dictionary attack, so nearly ANY password not in a password cracking dictionary (qwertz, 123456, asdf and similar things ARE in such dictionaries) will protect well enough. If anyone wants to hack exactly YOUR blog, he WILL infect your pc with a trojan and steal the password or sniff it from a network you use, and then even an ultra-secure password like f”gh&&sah/svSD13″bjh+§#gHW23= is not going to help you.
In my opinion, a simple dictionary test should be run against new passwords, and maybe a minimum length of 6 characters could be imposed. Together with effective server-side login delays (if wrong password entered more than 3 times, wait 5 seconds before telling the user if the password was wrong or right, and make sure he can not circumvent this by trying thousands of passwords in parallel), this should avoid any hacking attacks. It would be more interesting to allow users to limit admin menu access to https to avoid sending auth cookies or even passwords out in plain view and if there are failed login attempts since the last successfull login, the user should get a warning in red letters “n failed login attempts since last login” together with a option to view the IPs, and maybe a “last login: (date) (time)” display.
LikeLike
Congrats , Adam welcome to World Press Planet Org.
LikeLike
Nice idea. Maybe you could add it to the user pages for admins who are editing other users as well?
LikeLike
congratulations to you and ur family on your new son…tooooooooooooo sweet…and thx for all the wonderful updates u offer here…lookin forward to the password thing to be setup…be bless and enjoy your new baby… -g-
LikeLike
Your baby is beautiful! A million congratulations!!!!!
LikeLike
Congrats on the new baby. May he have a long and wonderful life.
About the password, I always wanted someone to tell me how good or bad my password was. Thanks.
Right now that line is just black, I guess I need to change the password to find out how good or bad it is.
LikeLike
this is awesome, and congrats on the new one…
the life is re-cycling !
Congrats once again
LikeLike
Aww such a cute baby! ^_^.
LikeLike
Sounds good!
LikeLike
Yay, another new baby in the world, you might guess I rather adore babies myself:)
LikeLike
A wonderful little boy! He has a GREAT birthday!
My son was also born on April 21 . . . only in 2003!
Wishing you all the best in the new adventure!
LikeLike
Ok, I was wondering what the “password strenth” thing on my profile was
LikeLike
Congratulations on the baby and nice feature. 🙂
LikeLike
Nice feature – one small bug. If you try to change your profile without changing your password it says “password too short”, and you have to re-enter your password each time.
LikeLike
I have to nod towards Jan’s idea. This is a blog, not a bank account. If you are putting that sensitive info on here, step back and ask why. People like Scoble may loose few hundred — near a thousand posts, but I doubt he would threaten to sue. I personally would loose little over 250 posts and 1200 comments, but I wouldn’t threaten to come after you guys. Yeah, I would be bummed to loose a few posts.
Congrats on the baby.
LikeLike
My password is monkey, is that good? kidding, Thanks.
LikeLike
Congratulations first.
But I am agree with Jan, is dummy.
The easy rule for a strong password is: minimum 8 characters length and requires at least one number, one uppercase letter and one number. For example: w0rdpRe$$.
Congrats again!!!
LikeLike
Congratulations! I think it’s a worthy addition–not necessarily perfect, but not intended to be either.
And for my shamless plug, i’m calling on all Canadians to visit my blog. 😉
LikeLike
Congratulations on the beautiful baby boy
LikeLike
no matter what I do it keeps on saying “Password is too short” though the indicator says it’s “STRONG”.
Congrats on your lil munchkin, by the way.
LikeLike
thanks, and handsome son! know U R proud! best I can do is share dog pics. free for slides sat. nite?
LikeLike
i wish you and your family all the best.
the best way to keep your password safe its changin every month. i know it keeps safe if you make stronger mixing upper case, lower case and numbers…
LikeLike
Good Job Dude! 🙂
LikeLike
Felicitations! And thanks for the password security improvement.
LikeLike
I like the idea of password strength, although it’s not 100% foolproof, ti would at least make the users more conscious of security.
PS. Congrats on the new born baby!
LikeLike
Congrats on your son! I love the password strength meter. As a System Administrator I know how important strong passwords can be, thanks for providing this service. I’ve blogged on occasion about some of my experiences as a Sys Admin and trying to deal with people who want easy passwords, instead of secure passwords – not fun at all.
LikeLike
Great new feature! I am glad to see that password strength is something being supported in WP and WPMU.
I currently am finishing up my first year of teaching a basic computer class in a local college, and password strength is something that I really found to be a problem among the masses. I am so very glad to see this update in the great WP code!
LikeLike
Congratulations! Welcome baby Adam. (love that name)
Oh yeah good feature too.
LikeLike
I wrote a post about generating unbreakable passwords a while back.
LikeLike
whatever I try, changing my PW doesn’t work.
I always get “Password to short” (Perhaps 32 chars is not enough?^^)
LikeLike
I think I have a strong password. It’s ‘aPPl3j4cks’. Is that a good password?
Hahaha. I’m just kidding of course.
LikeLike
For some unknown reason, I’m still using the password that was automatically generated when I created my blog account. According to the “Update Your Password” box, the password *that WordPress gave me* is only “Good”… and too short! Guess I should change it!
LikeLike
I love you guys
LikeLike
congratulations 🙂
and a nice new feature …
LikeLike
hmm i guess my password is strong enough…..but still a good feature…
n yes Congrats on the cutie pie!!!
LikeLike
Congradulation! We had our first child on April 26th! Good luck and best wishes.
LikeLike
ooh thanks for the password strength checker link. have been wanting that for along time now. couldnt find it.
LikeLike
That’s very nice, already checked it.
LikeLike
congratulations!! My first were twins….what chaos! They are now 18 and healthy so I made it….
I am sure you will enjoy blogging with Adam and think where we will be technologically when he is 18…. 😉
Susan in Italy
LikeLike
Thanks for the update!
LikeLike
second the motion, Dan’s observation. This has been discussed in the forum, they eventually solved it.
Congrats on this neat feature, hopefully you can also integrate Jan’s comments sometime. 🙂
LikeLike
That’s a great idea improving security. Thanks a lot!!!
LikeLike
Thanks everyone for your kind comments about Adam! Mark told me about the “password is too short” bug and I fixed it last night so everything should work ok.
I’d like to add a dictionary check when you submit your password but I think the current measures will do for the time being!
LikeLike
Donncha,
For new life, congratulations. For making this blog a possibility for our peace group’s efforts many thanks. For offering guidance on password suitability, great help!
David-moderator of Klamath BasinPeace Forum
LikeLike
My password can bench 350lbs.. ten times.
LikeLike
My password is is being changes as we speak to make it as difficult as possible to crack
LikeLike
Thanks for this, and all the best to the extended WP family !
LikeLike
Uh – I guess I’d say Strong to Very Strong…
HAH!
LikeLike
Thank you for implementing this great tool! Congratulations and enjoy Adam, your bundle of joy!
LikeLike
Great update and congrats on the baby.
LikeLike
Nice work 🙂 ,
I have to improve my algorithm to care about more things in the future.
LikeLike
Congrats!!!
LikeLike
Thanks for the informative article – and want to say congratulations on the birth of your beautiful child. Children are wonderful and precious – we all need to protect and nourish them, yet provide them with guidelines as they grow. It is hard to be a parent! The magical years to me, not that there isn’t reward as they grow older is from birth to about six years old. I have many fond recollections of those years with my son.
Wish the best for you and your child.
LikeLike
Congrats on your son!!! And thanks for still thinking about us!
LikeLike
I’m late to the party, but wishing you congratulations nonetheless.
How wonderful for you and your family!
LikeLike
Mine password is 39 characters long
LikeLike
My daughter shares your son’s birthday too – and you know what? So does the British Queen 😀
Thanks for the heads-up. Good to see my password is graded ‘strong’ – maybe I should use it for the house alarm too ;D
LikeLike
Congratulations on your new “feature” and thank you for the new WordPress feature.
LikeLike
Congratulations and God’s blessings on Adam and your family. Thanks for the reminder of password strength.
LikeLike
I think, a password is an “asmat,” a word used by a sorcerer to cheat other people, and this kind of cheating people by utilizing strange words has been used in African countries, especially in Ethiopia.
LikeLike
its so good sorry but i cant give you my password 8)
LikeLike
I was using a very weak password until I read this.
This article has forced me to change my password.
Very glad I read this.
bonusbuilder
LikeLike
i hate my password…i’m filing for divorce…
LikeLike
nice one…most of the WP fans can now…be even more secure!!!
Cheerz
Shri
LikeLike
Really, a usefull indicator. thanks
LikeLike
Nice Security advice ! I’ve a soft one !
LikeLike
i just wanted to see me avatar :-p
LikeLike
Congratulations on the baby!
Thanks for the new feature.
LikeLike
luv this post!
keep the good work! 🙂 thx for the suggestions!
Greetings!
LikeLike
thanks for the info; and it feels like a dilagoue; the human-mahine talk-touch keeps surfacing in wordpress.
LikeLike