All we need is an easy explanation of the problem, so here it is.
A password, that contains:
- at least one capital letter,
- at least one small letter,
- at least one number and
- at least one non-alphanumeric character,
is considered moderate to strong (sometimes even very strong) on all systems, that I’ve been using so far… except WordPress, where it is considered very weak. What am I missing here?
If this is a very weak password, then what rules should it match to be considered strong or very strong, by a person, who created password strength meter in WordPress.org Network system?
How to solve :
I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.
The password strength meter in the latest versions of WordPress uses a library called “zxcvbn”, made by Dropbox in 2012.
The library is available for free on Github: https://github.com/dropbox/zxcvbn
An explanation of the library is here: https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/
But the short version is that it analyzes patterns in the password instead of being a simple “does it have caps” and “does it have a symbol” method.
For example, a password of “Passw0rd123!” is not a good password by modern standards. It uses a dictionary word, it uses common leet-speak replacements, it starts with a capital letter, it ends in a symbol, and it includes a whole number which is a common pattern of sequential digits. It’s a human pattern, and modern password cracking systems are geared to specifically crack exactly that kind of password.
The zxcvbn library (“zxcvbn” is an example of a bad password) includes a list of common passwords, a common English dictionary, and many methods designed to recognize these patterns, as well as other patterns such as common keyboard patterns (Examples: “wasd” = connected letters, often used by gamers, while “951357” is the the shape of an X on a numeric keypad). These sorts of things are then all ranked and a score is formed.
Modern passwords have to be basically complete gibberish, or long phrases, not simple patterns. Anything less is usually insecure to modern password cracker programs.
Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂