Posted: Thursday, June 7th, 2007 at 12:38 pm. Filed in Features, New Features, Security, WordPress.com.
Tags: Passwords
How strong is your password?
No matter how good the software running on a website is, there is always the human factor. If your password is “test”, “1234″, “qwerty” or anything obvious then you are putting your blog at risk of having it hacked. For that reason the password change form on the profile page now checks how strong your password is.
A password can have four levels of strength:
- Too short
- Bad
- Good
- Strong
Please try to make your passwords “strong”, but we’ll accept “good” passwords too. It makes it a bit harder to change your password but the extra effort is worth it.
We’re using this code by Phiras. Thank you Phiras for making it available! I’m going to integrate this into WPMU soon as strong passwords are so important for site security.
Wow! It’s ages since I’ve made a post about a new feature here. There’s a good reason for that. My wonderful son Adam was born on April 21st and had a small bit to do with my lack of updates. I’m working on a few more things now so I’ll be back to blog about more goodies soon!
June 7th, 2007 at 12:54 pm
Congrats first……………….. wishing all good for your son…
password strength counter is a cool one..
will this be available for self hosted blogs?
June 7th, 2007 at 12:58 pm
This is pretty good stuff.
By the way, Adam is sooo cute.
June 7th, 2007 at 1:01 pm
Good feature added..
June 7th, 2007 at 1:11 pm
Donncha, congratulations. Adam looks like a beautyfull baby.
Thanks for the concern about PWs. As an ex-geek, I recall promoting good passwords to people with whom I worked. It was a difficult sale.
I recommended using a readily memorable phrase, extracting the initial letters from it, and substituting numerals and punctuation for some of those letters. There are lots of illustrations on the Web of how to do this. Perhaps it will help some users to create secure passwords.
That said, I realize I’m using a relatively less secure PW. I ought to update mine.
Thanks, too, for the lesson in creating high key portraits!
June 7th, 2007 at 1:14 pm
If its WordPress, it has to keep getting better. No doubt WP beats the best in the biz.
Can this new feature be termed as a ‘User Generated’ one? If yes, I bet there’re 1,053,448 bloggers building WordPress.
June 7th, 2007 at 1:18 pm
thanks for the tip.
June 7th, 2007 at 1:22 pm
Μy password is “ebt76543jq”. I guess it’s very strong, isn’t it?
June 7th, 2007 at 1:22 pm
Thank you for new improvement!!
June 7th, 2007 at 1:23 pm
I use a string of random letters and numbers for my password.
June 7th, 2007 at 1:24 pm
Congrats on the birth of your son. He’s a cutie!
June 7th, 2007 at 1:26 pm
Great thing, It was something I hope before
June 7th, 2007 at 1:32 pm
Thanks for the reminder about security. And congratulations!
June 7th, 2007 at 1:34 pm
Congratulations on your son’s birth~!
Regarding the password feature, this is excellent! It’s also nice to know that the password I’ve been using for quite some time now is considered strong.
Cheers!
June 7th, 2007 at 1:47 pm
Congrats !
June 7th, 2007 at 2:09 pm
Cute baby!
June 7th, 2007 at 2:18 pm
Two great new additions! Congrats and make sure to help mom get some sleepy time in. Pay now or PAY later
June 7th, 2007 at 2:33 pm
pascal, now that you’ve given us your password, it’s not that strong anymore.
June 7th, 2007 at 2:33 pm
Good work! I remember once getting yelled at by customers that they needed any password at all to access their account details (incl credit cards!) and especially one that had so many rules on how to make a password. I don’t understand why people wanted their accounts to be so unsafe, and then whinge later if someone broke into their broadband (and actually got it turned off). *sigh* Anyway, smart thinking!
June 7th, 2007 at 2:38 pm
Take your time and enjoy your Son…ain’t nothing like the real thing Baby.
amm
June 7th, 2007 at 2:41 pm
I’d never tested my passwords, so it was interesting to give them a test
Thanks.
June 7th, 2007 at 2:44 pm
Your son is beautiful! Welcome back and thanks for the updates.
Babies are a gift from God! Praise the Lord for this amazing present and precious life He has given you.
P.S. I share the same birthday with Adam.
Blessings to you,
Scotti
June 7th, 2007 at 2:45 pm
Is it essential to change the password or are you just suggesting we should do it?
Congratulations for the birth of your son.
June 7th, 2007 at 2:50 pm
Strong Password, huh? How about $t0|\|ec0|_|)$te\/e@|_|$t||\|
and Congratulations for your li’l bundle of joy.
June 7th, 2007 at 2:54 pm
It’s helpful.
Congratulations!
June 7th, 2007 at 2:58 pm
Thanks for the update!
June 7th, 2007 at 3:11 pm
I don’t know what my passwords are. (Safer if I am deemed a terrorist and tortured. No information to give up.) ROBOFORM handles all my passwords for me.
June 7th, 2007 at 3:28 pm
Nice idea, but it has many weaknesses. It does not consider the possibility of dictionary attacks – it considers “0123456789″ to be a good password. In reality, a dictionary attack would break it within quite a short time (I think about 20000 attempts at max.)
Additionally, I do not think this much paranoia is necessary. A bruteforce attempt against a password not in a dictionary, consisting of 6 random lowercase characters, using 10 attepts per second (and 36000 failed login attempts per hour on one blog would probably alert the admin team!), running for 10 days 24/7, would break the password with a probability of 3%. However, this password is still considered “bad”. Even an 8-lowercase-letter password is considered bad. The same bruteforce attack, running for a whole year, would have a 0.15% chance of breaking the password!
If anyone wants to hack some blogs, he is going to do a simple dictionary attack, so nearly ANY password not in a password cracking dictionary (qwertz, 123456, asdf and similar things ARE in such dictionaries) will protect well enough. If anyone wants to hack exactly YOUR blog, he WILL infect your pc with a trojan and steal the password or sniff it from a network you use, and then even an ultra-secure password like f”gh&&sah/svSD13″bjh+§#gHW23= is not going to help you.
In my opinion, a simple dictionary test should be run against new passwords, and maybe a minimum length of 6 characters could be imposed. Together with effective server-side login delays (if wrong password entered more than 3 times, wait 5 seconds before telling the user if the password was wrong or right, and make sure he can not circumvent this by trying thousands of passwords in parallel), this should avoid any hacking attacks. It would be more interesting to allow users to limit admin menu access to https to avoid sending auth cookies or even passwords out in plain view and if there are failed login attempts since the last successfull login, the user should get a warning in red letters “n failed login attempts since last login” together with a option to view the IPs, and maybe a “last login: (date) (time)” display.
June 7th, 2007 at 3:43 pm
Congrats , Adam welcome to World Press Planet Org.
June 7th, 2007 at 3:46 pm
Nice idea. Maybe you could add it to the user pages for admins who are editing other users as well?
June 7th, 2007 at 3:56 pm
congratulations to you and ur family on your new son…tooooooooooooo sweet…and thx for all the wonderful updates u offer here…lookin forward to the password thing to be setup…be bless and enjoy your new baby… -g-
June 7th, 2007 at 4:14 pm
Your baby is beautiful! A million congratulations!!!!!
June 7th, 2007 at 4:48 pm
Congrats on the new baby. May he have a long and wonderful life.
About the password, I always wanted someone to tell me how good or bad my password was. Thanks.
Right now that line is just black, I guess I need to change the password to find out how good or bad it is.
June 7th, 2007 at 5:03 pm
this is awesome, and congrats on the new one…
the life is re-cycling !
Congrats once again
June 7th, 2007 at 6:01 pm
Aww such a cute baby! ^_^.
June 7th, 2007 at 6:21 pm
Sounds good!
June 7th, 2007 at 6:32 pm
Yay, another new baby in the world, you might guess I rather adore babies myself:)
June 7th, 2007 at 7:01 pm
A wonderful little boy! He has a GREAT birthday!
My son was also born on April 21 . . . only in 2003!
Wishing you all the best in the new adventure!
June 7th, 2007 at 7:08 pm
Ok, I was wondering what the “password strenth” thing on my profile was
June 7th, 2007 at 7:39 pm
Congratulations on the baby and nice feature.
June 7th, 2007 at 7:59 pm
Nice feature – one small bug. If you try to change your profile without changing your password it says “password too short”, and you have to re-enter your password each time.
June 7th, 2007 at 8:10 pm
I have to nod towards Jan’s idea. This is a blog, not a bank account. If you are putting that sensitive info on here, step back and ask why. People like Scoble may loose few hundred — near a thousand posts, but I doubt he would threaten to sue. I personally would loose little over 250 posts and 1200 comments, but I wouldn’t threaten to come after you guys. Yeah, I would be bummed to loose a few posts.
Congrats on the baby.
June 7th, 2007 at 8:13 pm
My password is monkey, is that good? kidding, Thanks.
June 7th, 2007 at 8:14 pm
Congratulations first.
But I am agree with Jan, is dummy.
The easy rule for a strong password is: minimum 8 characters length and requires at least one number, one uppercase letter and one number. For example: w0rdpRe$$.
Congrats again!!!
June 7th, 2007 at 8:17 pm
Congratulations! I think it’s a worthy addition–not necessarily perfect, but not intended to be either.
And for my shamless plug, i’m calling on all Canadians to visit my blog.
June 7th, 2007 at 8:21 pm
Congratulations on the beautiful baby boy
June 7th, 2007 at 8:52 pm
no matter what I do it keeps on saying “Password is too short” though the indicator says it’s “STRONG”.
Congrats on your lil munchkin, by the way.
June 7th, 2007 at 10:03 pm
thanks, and handsome son! know U R proud! best I can do is share dog pics. free for slides sat. nite?
June 7th, 2007 at 10:21 pm
i wish you and your family all the best.
the best way to keep your password safe its changin every month. i know it keeps safe if you make stronger mixing upper case, lower case and numbers…
June 7th, 2007 at 10:33 pm
Good Job Dude!
June 7th, 2007 at 11:13 pm
Felicitations! And thanks for the password security improvement.
June 7th, 2007 at 11:23 pm
I like the idea of password strength, although it’s not 100% foolproof, ti would at least make the users more conscious of security.
PS. Congrats on the new born baby!
June 7th, 2007 at 11:45 pm
Congrats on your son! I love the password strength meter. As a System Administrator I know how important strong passwords can be, thanks for providing this service. I’ve blogged on occasion about some of my experiences as a Sys Admin and trying to deal with people who want easy passwords, instead of secure passwords – not fun at all.
June 8th, 2007 at 12:51 am
Great new feature! I am glad to see that password strength is something being supported in WP and WPMU.
I currently am finishing up my first year of teaching a basic computer class in a local college, and password strength is something that I really found to be a problem among the masses. I am so very glad to see this update in the great WP code!
June 8th, 2007 at 1:52 am
Congratulations! Welcome baby Adam. (love that name)
Oh yeah good feature too.
June 8th, 2007 at 2:27 am
I wrote a post about generating unbreakable passwords a while back.
June 8th, 2007 at 2:36 am
whatever I try, changing my PW doesn’t work.
I always get “Password to short” (Perhaps 32 chars is not enough?^^)
June 8th, 2007 at 2:47 am
I think I have a strong password. It’s ‘aPPl3j4cks’. Is that a good password?
Hahaha. I’m just kidding of course.
June 8th, 2007 at 3:09 am
For some unknown reason, I’m still using the password that was automatically generated when I created my blog account. According to the “Update Your Password” box, the password *that WordPress gave me* is only “Good”… and too short! Guess I should change it!
June 8th, 2007 at 4:56 am
I love you guys
June 8th, 2007 at 5:09 am
congratulations
and a nice new feature …
June 8th, 2007 at 5:44 am
hmm i guess my password is strong enough…..but still a good feature…
n yes Congrats on the cutie pie!!!
June 8th, 2007 at 6:00 am
Congradulation! We had our first child on April 26th! Good luck and best wishes.
June 8th, 2007 at 7:12 am
ooh thanks for the password strength checker link. have been wanting that for along time now. couldnt find it.
June 8th, 2007 at 7:31 am
That’s very nice, already checked it.
June 8th, 2007 at 7:47 am
congratulations!! My first were twins….what chaos! They are now 18 and healthy so I made it….
I am sure you will enjoy blogging with Adam and think where we will be technologically when he is 18….
Susan in Italy
June 8th, 2007 at 8:05 am
Thanks for the update!
June 8th, 2007 at 8:18 am
second the motion, Dan’s observation. This has been discussed in the forum, they eventually solved it.
Congrats on this neat feature, hopefully you can also integrate Jan’s comments sometime.
June 8th, 2007 at 10:02 am
That’s a great idea improving security. Thanks a lot!!!
June 8th, 2007 at 10:19 am
Thanks everyone for your kind comments about Adam! Mark told me about the “password is too short” bug and I fixed it last night so everything should work ok.
I’d like to add a dictionary check when you submit your password but I think the current measures will do for the time being!
June 8th, 2007 at 11:21 am
Donncha,
For new life, congratulations. For making this blog a possibility for our peace group’s efforts many thanks. For offering guidance on password suitability, great help!
David-moderator of Klamath BasinPeace Forum
June 8th, 2007 at 1:56 pm
My password can bench 350lbs.. ten times.
June 8th, 2007 at 3:36 pm
My password is is being changes as we speak to make it as difficult as possible to crack
June 8th, 2007 at 5:12 pm
Thanks for this, and all the best to the extended WP family !
June 8th, 2007 at 8:29 pm
Uh – I guess I’d say Strong to Very Strong…
HAH!
June 8th, 2007 at 9:17 pm
Thank you for implementing this great tool! Congratulations and enjoy Adam, your bundle of joy!
June 8th, 2007 at 10:18 pm
Great update and congrats on the baby.
June 8th, 2007 at 10:37 pm
Nice work
,
I have to improve my algorithm to care about more things in the future.
June 9th, 2007 at 12:16 am
Congrats!!!
June 9th, 2007 at 2:06 am
Thanks for the informative article – and want to say congratulations on the birth of your beautiful child. Children are wonderful and precious – we all need to protect and nourish them, yet provide them with guidelines as they grow. It is hard to be a parent! The magical years to me, not that there isn’t reward as they grow older is from birth to about six years old. I have many fond recollections of those years with my son.
Wish the best for you and your child.
June 9th, 2007 at 2:38 am
Congrats on your son!!! And thanks for still thinking about us!
June 9th, 2007 at 8:17 am
I’m late to the party, but wishing you congratulations nonetheless.
How wonderful for you and your family!
June 9th, 2007 at 9:35 am
Mine password is 39 characters long
June 9th, 2007 at 11:43 am
My daughter shares your son’s birthday too – and you know what? So does the British Queen
Thanks for the heads-up. Good to see my password is graded ’strong’ – maybe I should use it for the house alarm too ;D
June 9th, 2007 at 7:42 pm
Congratulations on your new “feature” and thank you for the new WordPress feature.
June 9th, 2007 at 8:45 pm
Congratulations and God’s blessings on Adam and your family. Thanks for the reminder of password strength.
June 9th, 2007 at 9:52 pm
I think, a password is an “asmat,” a word used by a sorcerer to cheat other people, and this kind of cheating people by utilizing strange words has been used in African countries, especially in Ethiopia.
June 9th, 2007 at 10:10 pm
its so good sorry but i cant give you my password
:mrgreen:
June 10th, 2007 at 1:57 am
I was using a very weak password until I read this.
This article has forced me to change my password.
Very glad I read this.
bonusbuilder
June 10th, 2007 at 6:21 am
i hate my password…i’m filing for divorce…
June 10th, 2007 at 6:50 am
nice one…most of the WP fans can now…be even more secure!!!
Cheerz
Shri
June 10th, 2007 at 10:55 am
Really, a usefull indicator. thanks
June 10th, 2007 at 1:58 pm
Nice Security advice ! I’ve a soft one !
June 10th, 2007 at 7:42 pm
i just wanted to see me avatar :-p
June 11th, 2007 at 12:34 am
Congratulations on the baby!
Thanks for the new feature.
June 11th, 2007 at 1:45 am
luv this post!
keep the good work!
thx for the suggestions!
Greetings!
June 11th, 2007 at 5:15 am
thanks for the info; and it feels like a dilagoue; the human-mahine talk-touch keeps surfacing in wordpress.