No matter how good the software running on a website is, there is always the human factor. If your password is “test”, “1234”, “qwerty” or anything obvious then you are putting your blog at risk of having it hacked. For that reason the password change form on the profile page now checks how strong your password is.
A password can have four levels of strength:
- Too short
- Bad
- Good
- Strong
Please try to make your passwords “strong”, but we’ll accept “good” passwords too. It makes it a bit harder to change your password but the extra effort is worth it.
We’re using this code by Phiras. Thank you Phiras for making it available! I’m going to integrate this into WPMU soon as strong passwords are so important for site security.
Wow! It’s ages since I’ve made a post about a new feature here. There’s a good reason for that. My wonderful son Adam was born on April 21st and had a small bit to do with my lack of updates. I’m working on a few more things now so I’ll be back to blog about more goodies soon!
WordPress.com News 
Congrats first……………….. wishing all good for your son…
password strength counter is a cool one.. 🙂 will this be available for self hosted blogs?
This is pretty good stuff.
By the way, Adam is sooo cute.
Good feature added..
Donncha, congratulations. Adam looks like a beautyfull baby.
Thanks for the concern about PWs. As an ex-geek, I recall promoting good passwords to people with whom I worked. It was a difficult sale.
I recommended using a readily memorable phrase, extracting the initial letters from it, and substituting numerals and punctuation for some of those letters. There are lots of illustrations on the Web of how to do this. Perhaps it will help some users to create secure passwords.
That said, I realize I’m using a relatively less secure PW. I ought to update mine.
Thanks, too, for the lesson in creating high key portraits!
If its WordPress, it has to keep getting better. No doubt WP beats the best in the biz.
Can this new feature be termed as a ‘User Generated’ one? If yes, I bet there’re 1,053,448 bloggers building WordPress.
thanks for the tip.
Μy password is “ebt76543jq”. I guess it’s very strong, isn’t it?
😉
Thank you for new improvement!!
I use a string of random letters and numbers for my password.
Congrats on the birth of your son. He’s a cutie!
Great thing, It was something I hope before
Thanks for the reminder about security. And congratulations!
Congratulations on your son’s birth~!
Regarding the password feature, this is excellent! It’s also nice to know that the password I’ve been using for quite some time now is considered strong.
Cheers!
Congrats !
Cute baby!
Two great new additions! Congrats and make sure to help mom get some sleepy time in. Pay now or PAY later 😉
pascal
, now that you’ve given us your password, it’s not that strong anymore. 😛
Good work! I remember once getting yelled at by customers that they needed any password at all to access their account details (incl credit cards!) and especially one that had so many rules on how to make a password. I don’t understand why people wanted their accounts to be so unsafe, and then whinge later if someone broke into their broadband (and actually got it turned off). *sigh* Anyway, smart thinking!
Take your time and enjoy your Son…ain’t nothing like the real thing Baby.
amm
I’d never tested my passwords, so it was interesting to give them a test 🙂 Thanks.
Your son is beautiful! Welcome back and thanks for the updates.
Babies are a gift from God! Praise the Lord for this amazing present and precious life He has given you.
P.S. I share the same birthday with Adam.
Blessings to you,
Scotti
Is it essential to change the password or are you just suggesting we should do it?
Congratulations for the birth of your son.
Strong Password, huh? How about $t0|\|ec0|_|)$te\/e@|_|$t||\|
and Congratulations for your li’l bundle of joy.
It’s helpful.
Congratulations!
Thanks for the update!
I don’t know what my passwords are. (Safer if I am deemed a terrorist and tortured. No information to give up.) ROBOFORM handles all my passwords for me. 🙂
Nice idea, but it has many weaknesses. It does not consider the possibility of dictionary attacks – it considers “0123456789” to be a good password. In reality, a dictionary attack would break it within quite a short time (I think about 20000 attempts at max.)
Additionally, I do not think this much paranoia is necessary. A bruteforce attempt against a password not in a dictionary, consisting of 6 random lowercase characters, using 10 attepts per second (and 36000 failed login attempts per hour on one blog would probably alert the admin team!), running for 10 days 24/7, would break the password with a probability of 3%. However, this password is still considered “bad”. Even an 8-lowercase-letter password is considered bad. The same bruteforce attack, running for a whole year, would have a 0.15% chance of breaking the password!
If anyone wants to hack some blogs, he is going to do a simple dictionary attack, so nearly ANY password not in a password cracking dictionary (qwertz, 123456, asdf and similar things ARE in such dictionaries) will protect well enough. If anyone wants to hack exactly YOUR blog, he WILL infect your pc with a trojan and steal the password or sniff it from a network you use, and then even an ultra-secure password like f”gh&&sah/svSD13″bjh+§#gHW23= is not going to help you.
In my opinion, a simple dictionary test should be run against new passwords, and maybe a minimum length of 6 characters could be imposed. Together with effective server-side login delays (if wrong password entered more than 3 times, wait 5 seconds before telling the user if the password was wrong or right, and make sure he can not circumvent this by trying thousands of passwords in parallel), this should avoid any hacking attacks. It would be more interesting to allow users to limit admin menu access to https to avoid sending auth cookies or even passwords out in plain view and if there are failed login attempts since the last successfull login, the user should get a warning in red letters “n failed login attempts since last login” together with a option to view the IPs, and maybe a “last login: (date) (time)” display.
Congrats , Adam welcome to World Press Planet Org.
Nice idea. Maybe you could add it to the user pages for admins who are editing other users as well?
congratulations to you and ur family on your new son…tooooooooooooo sweet…and thx for all the wonderful updates u offer here…lookin forward to the password thing to be setup…be bless and enjoy your new baby… -g-
Your baby is beautiful! A million congratulations!!!!!
Congrats on the new baby. May he have a long and wonderful life.
About the password, I always wanted someone to tell me how good or bad my password was. Thanks.
Right now that line is just black, I guess I need to change the password to find out how good or bad it is.
this is awesome, and congrats on the new one…
the life is re-cycling !
Congrats once again
Aww such a cute baby! ^_^.
Sounds good!
Yay, another new baby in the world, you might guess I rather adore babies myself:)
A wonderful little boy! He has a GREAT birthday!
My son was also born on April 21 . . . only in 2003!
Wishing you all the best in the new adventure!
Ok, I was wondering what the “password strenth” thing on my profile was
Congratulations on the baby and nice feature. 🙂
Nice feature – one small bug. If you try to change your profile without changing your password it says “password too short”, and you have to re-enter your password each time.
I have to nod towards Jan’s idea. This is a blog, not a bank account. If you are putting that sensitive info on here, step back and ask why. People like Scoble may loose few hundred — near a thousand posts, but I doubt he would threaten to sue. I personally would loose little over 250 posts and 1200 comments, but I wouldn’t threaten to come after you guys. Yeah, I would be bummed to loose a few posts.
Congrats on the baby.
My password is monkey, is that good? kidding, Thanks.
Congratulations first.
But I am agree with Jan, is dummy.
The easy rule for a strong password is: minimum 8 characters length and requires at least one number, one uppercase letter and one number. For example: w0rdpRe$$.
Congrats again!!!
Congratulations! I think it’s a worthy addition–not necessarily perfect, but not intended to be either.
And for my shamless plug, i’m calling on all Canadians to visit my blog. 😉
Congratulations on the beautiful baby boy
no matter what I do it keeps on saying “Password is too short” though the indicator says it’s “STRONG”.
Congrats on your lil munchkin, by the way.
thanks, and handsome son! know U R proud! best I can do is share dog pics. free for slides sat. nite?
i wish you and your family all the best.
the best way to keep your password safe its changin every month. i know it keeps safe if you make stronger mixing upper case, lower case and numbers…
Good Job Dude! 🙂
Felicitations! And thanks for the password security improvement.
I like the idea of password strength, although it’s not 100% foolproof, ti would at least make the users more conscious of security.
PS. Congrats on the new born baby!
Congrats on your son! I love the password strength meter. As a System Administrator I know how important strong passwords can be, thanks for providing this service. I’ve blogged on occasion about some of my experiences as a Sys Admin and trying to deal with people who want easy passwords, instead of secure passwords – not fun at all.
Great new feature! I am glad to see that password strength is something being supported in WP and WPMU.
I currently am finishing up my first year of teaching a basic computer class in a local college, and password strength is something that I really found to be a problem among the masses. I am so very glad to see this update in the great WP code!
Congratulations! Welcome baby Adam. (love that name)
Oh yeah good feature too.
I wrote a post about generating unbreakable passwords a while back.
whatever I try, changing my PW doesn’t work.
I always get “Password to short” (Perhaps 32 chars is not enough?^^)
I think I have a strong password. It’s ‘aPPl3j4cks’. Is that a good password?
Hahaha. I’m just kidding of course.
For some unknown reason, I’m still using the password that was automatically generated when I created my blog account. According to the “Update Your Password” box, the password *that WordPress gave me* is only “Good”… and too short! Guess I should change it!
I love you guys
congratulations 🙂
and a nice new feature …
hmm i guess my password is strong enough…..but still a good feature…
n yes Congrats on the cutie pie!!!
Congradulation! We had our first child on April 26th! Good luck and best wishes.
ooh thanks for the password strength checker link. have been wanting that for along time now. couldnt find it.
That’s very nice, already checked it.
congratulations!! My first were twins….what chaos! They are now 18 and healthy so I made it….
I am sure you will enjoy blogging with Adam and think where we will be technologically when he is 18…. 😉
Susan in Italy
Thanks for the update!
second the motion, Dan’s observation. This has been discussed in the forum, they eventually solved it.
Congrats on this neat feature, hopefully you can also integrate Jan’s comments sometime. 🙂
That’s a great idea improving security. Thanks a lot!!!
Thanks everyone for your kind comments about Adam! Mark told me about the “password is too short” bug and I fixed it last night so everything should work ok.
I’d like to add a dictionary check when you submit your password but I think the current measures will do for the time being!
Donncha,
For new life, congratulations. For making this blog a possibility for our peace group’s efforts many thanks. For offering guidance on password suitability, great help!
David-moderator of Klamath BasinPeace Forum
My password can bench 350lbs.. ten times.
My password is is being changes as we speak to make it as difficult as possible to crack
Thanks for this, and all the best to the extended WP family !
Uh – I guess I’d say Strong to Very Strong…
HAH!
Thank you for implementing this great tool! Congratulations and enjoy Adam, your bundle of joy!
Great update and congrats on the baby.
Nice work 🙂 ,
I have to improve my algorithm to care about more things in the future.
Congrats!!!
Thanks for the informative article – and want to say congratulations on the birth of your beautiful child. Children are wonderful and precious – we all need to protect and nourish them, yet provide them with guidelines as they grow. It is hard to be a parent! The magical years to me, not that there isn’t reward as they grow older is from birth to about six years old. I have many fond recollections of those years with my son.
Wish the best for you and your child.
Congrats on your son!!! And thanks for still thinking about us!
I’m late to the party, but wishing you congratulations nonetheless.
How wonderful for you and your family!
Mine password is 39 characters long
My daughter shares your son’s birthday too – and you know what? So does the British Queen 😀
Thanks for the heads-up. Good to see my password is graded ‘strong’ – maybe I should use it for the house alarm too ;D
Congratulations on your new “feature” and thank you for the new WordPress feature.
Congratulations and God’s blessings on Adam and your family. Thanks for the reminder of password strength.
I think, a password is an “asmat,” a word used by a sorcerer to cheat other people, and this kind of cheating people by utilizing strange words has been used in African countries, especially in Ethiopia.
its so good sorry but i cant give you my password 8)
I was using a very weak password until I read this.
This article has forced me to change my password.
Very glad I read this.
bonusbuilder
i hate my password…i’m filing for divorce…
nice one…most of the WP fans can now…be even more secure!!!
Cheerz
Shri
Really, a usefull indicator. thanks
Nice Security advice ! I’ve a soft one !
i just wanted to see me avatar :-p
Congratulations on the baby!
Thanks for the new feature.
luv this post!
keep the good work! 🙂 thx for the suggestions!
Greetings!
thanks for the info; and it feels like a dilagoue; the human-mahine talk-touch keeps surfacing in wordpress.