Why can't I have a weak password?
-
“At WordPress.com, we go to great lengths to make sure your content is secure, protected, and can’t be accessed by anyone other than you. “
You do indeed. And as the content I store in WordPress is completely trivial, and I only access it a few times a year, I want to keep only a basic password for it. However your system insists I must have letters and numbers, and it mustn’t be a password I have used before. Why? It isn’t a banking website!
I don’t remember my WordPress password. Why? Because I access hundreds of sites at much the same frequency as WordPress and there is no way I can remember hundreds of passwords. I just want to use a generic password for all these trivial accesses.
Basically every single time I access WordPress, if the browser has dropped the password from memory, I get a new password. Invariably I try the same ones, because they are memorable, and invariably I get that stupid message saying “you’ve used this password before!”. I KNOW I have – that’s because it is a GOOD password.
The idea that a password is automatically bad if it can be generated by a dictionary attack or some such is incorrect. The primary purpose of a password is not to DENY access to the precluded; it is to ALLOW access to the INcluded. Your password system fails this primary test.
I don’t mind if you do as other sites do and WARN me that my password is weak, if you feel you must. But please allow me to use a simple password, and to turn off the preclusion against re-used passwords. You are not a bank.
The blog I need help with is: (visible only to logged in users)
-
The purpose of requiring a new, strong password is to ensure that people don’t start complaining of being hacked into by people. If someone has a simple password, like ‘password’, if someone wants to gain access, it won’t take them very long. This is a security measure, to protect wordpress’ millions of blogs, and to ensure that us users maintain control of our sites.
Obviously it can be tricky remembering hundreds of passwords, and some simple approaches are to use the same password for all sites (which is obviously fraught with danger since if someone gets that password they have access to everything), have the same ‘base password’, for example A1r!x or something, and then add on something related to that website, maybe it is wordA1r!x, or something, that way you have a password which is going to be tricky to guess, one that is different for all sites, but one you should remember. In my opinion the whole point of the password, is to keep everyone else out, whilst letting you in.
Or better yet use one of these plugins for your browsers to remember the passwords for you, since they won’t forget like your browser might.
Keepass – Open Source, free to download and use. Available for Windows, Mac and Linux.
LastPass – Free service with premium option. Available for all major OSs, browsers and mobile devices.
1Password – Paid download. Available for Windows, Mac and iOS, with support for all major browsers. -
danielisreading: Thanks for your response. I hope you don’t mind my saying that I’m fairly familiar with the arguments you make. The problem with the ‘base password’ approach:
1) It largely removes the point of having different passwords anyway
2) Many sites insist on passwords being updated, and won’t allow re-used passwords
3) You are still subject to the vagaries of differing template, depending on the site. WordPress wants letter/number; someone else wants “at least 8 chars”, someone else insists on a punctuation mark. It’s almost impossible to come up with a base password that is acceptable to ALL the possible Strong Password templates. I could probably remember what the password was if the template was supplied (i.e. “Enter Password: – hint: it’s got to be letters and numbers”) but I never remember which site has which particular Strong Password fixation. Remember, these are the sites that I access extremely infrequently.The problem with Keepass relates to triviality. I’m sure it’s a good system for your banking or your email or facebook. But THOSE passwords are the ones I remember! It’s the UNimportant ones, for sites that I don’t access for months at a time, that are the problem. And there are hundreds of them. Hauling out Keepass for each one … and having to drag the Keepass base file around on a thumb drive to access remotely … well frankly, it is easier to just get a new password every time I access the site.
It should be ME who decides whether I need a strong password. I DO use strong passwords for my bank accounts and my email. But what I store here on WordPress is trivial. Nor is it any kind of valuable target for anyone to bother making a dictionary attack. And it is infrequently accessed. It’s exactly the sort of thing that SHOULD be accessed by the same password for a bunch of sites: the “this is not very important” password.
My main point however, is that strong passwording so commonly ends up being completely counter-productive. In attempting to insist on a strong password, WordPress is falling into a trap many others have fallen into, because once a password is ‘strong’ enough to be unmemorable, it usually ends up scribbled on a Post-it Note attached to the monitor … i.e. the insistence of strong passwords produces security far worse than if they would just allow any password at all.
- The topic ‘Why can't I have a weak password?’ is closed to new replies.
WordPress.com Forums 