With the adoption of the zxcvbn library in WordPress 3.7 and our use of Force Strong Passwords on all customer sites, the password criteria for new users has changed. The new criteria is based on a different style of strong password that users may not be used to. The criteria favors chains of words, making passwords easy to remember and harder to crack.
While we don’t want to make our customers frustrated when creating passwords, we do want to do everything we can to help keep their sites safe. The use of a strong, unique password is one of the most important security steps a WordPress user can take.
Only passwords rated as Strong are accepted for Administrator, Editor, and Author level users.
How to Pick a Strong Password?
To create a password that meets our strength requirements, it’s recommended to use a mix of four or more random, common words. For example:
correcthorsebatterystaple. This password style might not be very common, but it will be much more difficult for computers to crack. It also allows for your passwords to remain easily memorable. If your password still falls below the required Strong password strength level, feel free to add some special characters or numbers to strengthen it.
The password strengths meter may seem random, but the zxcvbn library is actually recognizing and rejecting common patterns. These patterns include dates, phrases, names, keyboard patterns (123456789), and even pop culture references, which can weaken passwords. To see how your own password is being evaluated, try out the official zxcvbn strength tester. For a more technical glance at the zxcbvn library, check out the blog announcement.
Please contact support if you have any troubles setting a strong password.
Another way to ease password worries is to keep your strong passwords in a password vault. This helps you by auto-filling strong passwords for you, so you don’t have the burden of remembering them. Software like LastPass and 1Password are written with security in mind. They make saving and recalling unique passwords simple. To lessen the friction of using a password vault, both pieces of software have browser extensions that auto-fill login forms. These tools make setting a complex password for every site super easy — even ones not hosted with WP Engine.
One of My admin users doesn’t want a strong password – what now?
Before continuing, it’s important to remind users that setting a strong password is a security measure that exists to protect your site. And remember, only Administrator, Editor, and Author-level users have this requirement. You can lower their user-level to help remove this restriction. If one of the above users requires setting a password which is not labeled as “strong,” you can manually reset the user’s password to the desired password using the database.