A password, that contains:
- at least one capital letter,
- at least one small letter,
- at least one number and
- at least one non-alphanumeric character,
is considered moderate to strong (sometimes even very strong) on all systems, that I’ve been using so far… except WordPress, where it is considered very weak. What am I missing here?
If this is a very weak password, then what rules should it match to be considered strong or very strong, by a person, who created password strength meter in WordPress.org Network system?
1
The password strength meter in the latest versions of WordPress uses a library called “zxcvbn”, made by Dropbox in 2012.
The library is available for free on Github: https://github.com/dropbox/zxcvbn
An explanation of the library is here: https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/
But the short version is that it analyzes patterns in the password instead of being a simple “does it have caps” and “does it have a symbol” method.
For example, a password of “Passw0rd123!” is not a good password by modern standards. It uses a dictionary word, it uses common leet-speak replacements, it starts with a capital letter, it ends in a symbol, and it includes a whole number which is a common pattern of sequential digits. It’s a human pattern, and modern password cracking systems are geared to specifically crack exactly that kind of password.
The zxcvbn library (“zxcvbn” is an example of a bad password) includes a list of common passwords, a common English dictionary, and many methods designed to recognize these patterns, as well as other patterns such as common keyboard patterns (Examples: “wasd” = connected letters, often used by gamers, while “951357” is the the shape of an X on a numeric keypad). These sorts of things are then all ranked and a score is formed.
Modern passwords have to be basically complete gibberish, or long phrases, not simple patterns. Anything less is usually insecure to modern password cracker programs.
Try what you think a “good” password is in the Javascript demo. It might prove enlightening:
https://lowe.github.io/tryzxcvbn/