With the adoption of the zxcvbn library in WordPress 3.7 and our use of Force Strong Passwords on all customer sites, the password criteria for new users is based on a different a style of password that users may not be used to, which favors easier to remember and harder to crack chains of words rather than typical password patterns.
While we don’t want to make our customers frustrated when creating passwords, we do want to do everything we can to help keep their sites safe. The use of a strong, unique password is one of the most important things a WordPress user can do to keep attackers from gaining access to their site.
Only passwords rated as Strong are accepted for Administrator, Editor, and Author level users.
How to Pick a Strong Password?
To create a password that meets our strength requirements, it’s recommended to use a mix of four or more random, common words, for example:
correcthorsebatterystsple. While this style of password might break from the common password patterns typically encouraged, it will be much more difficult for computers to crack, and remains easily memorable. If your password still falls below the required Strong password strength level, feel free to add some special characters or numbers to strengthen it and
The password strengths meter may seem random, but the zxcvbn library is in fact recognizing and rejecting common patterns such as dates, phrases, names, keyboard patterns (123456789), and even pop culture references, which can weaken passwords. To see how your own password is being evaluated, try out the official zxcvbn strength tester. For a more technical glance at the zxcbvn library, take a look at the blog post announcing the zxcvbn library.
Should you happen to run into any issues setting a password that reports to be strong, please do not hesitate to contact support.
Another way to ease password worries is to offload remembering your strong passwords to a password vault. Software like LastPass and 1Password are written with security in mind and make saving and recalling unique passwords dead simple. To lessen the friction of using a password vault, both pieces of software have browser extensions that auto-fill login forms with nothing more than a mouse click. This makes setting a complex password for every site — even ones not hosted with WP Engine — a non-issue.