Hi @microscan5ep, thanks for your kind words about the plugin and suggestion on the improvements to our password strength rules.
You’re absolutely correct in your observations that length is a key factor in password strength, especially against automated attacks, and we may consider implementing something like that in the future. We do expect to get some pushback on changing this and will only be able to commit to a release when we can be sure the information we can provide and solution we come to is a good fit for most of our customers.
Keeping in mind that there are a lot of non-technical people running WordPress sites, if we didn’t keep some degree of character/case requirements there might be a decrease in quality of overall passwords in some cases. However, for the benefit of other folks searching the forums I’ll also mention the more roadblocks like reCAPTCHA and 2FA you put in front of gaining access, especially on your admin account(s), this is our best recommendation on top of a complex or very long password.
We currently check some other things like sequences and repeated characters that would still be useful to prevent longer but repetitive (and easy to guess) passwords. WordPress itself still uses zxcvbn.js, but doesn’t enforce it if the user doesn’t want it.
Many thanks,
Peter.
Thanks for the reply Peter. Maybe you could have the current password checks on by default, but provide an advanced setting where they can be turned off individually?
Absolutely agree with your comment re. 2FA, although I’m not a big fan of reCAPTCHA personally.
Regards
An option could certainly be a good way to introduce a new requirement, so thanks again for your suggestion @microscan5ep.
As we’re unable to provide ongoing development updates here on the forums, topics such as this will be marked as “resolved”. Please note that we don’t consider this the case internally and all development requests are logged separately for internal discussion with a view to bringing many to the plugin over time.
Thanks again,
Peter.
