I recently read an article from WP Tavern asking if WordPress should include a password generator. The responses varied, but many in the comments thought it would be a good idea. Here’s why I disagree.
My obvious answer, which I’ll explain further in a minute, is that it’s not WordPress’ responsibility. WordPress is a publishing platform, and thus their job is to help people publish great content quick & easily, not create strong passwords for their users.
You can read more about this feature (which is already scheduled for 3.8) on WordPress Core Trac. I can’t tell from the ticket how exactly it will be implemented, but I’d love to hear your opinion in the comments.
How important are user passwords to the overall security of WordPress? Take a look at these WordPress hack statistics for 2013.
How Other CMS Platforms Handle Passwords
Before we look at what other platforms are doing, I want to make this clear: Just because others are not doing it, I’m not saying that WordPress should not do it either. That’s flawed reasoning. But I do think it’s important to at least be aware of what the others are doing.
So, do other publishing platforms have a password generator in their core?
- Joomla doesn’t appear to have anything in their core, but there are several extensions (i.e. plugins) that handle password management.
- Drupal doesn’t appear to have anything in their core, but they do have a Password Policy extension, although it does not generate a password for you. It only adds requirements that must be met when changing a password.
- ExpressionEngine has a few password features built-in (limit login attempts & restricting certain words within passwords), and a free add-on that will generate a strong password upon new user registration.
What About Online Banking Applications
Arguably the most important sites to keep secure are online banking applications. I’ve only logged into a few banking sites in my time, so please chime in if you’ve seen something different. Most banking sites have password requirements that must be met, along with the occasional 2-step authentication process (a recognizable image, 4-digit PIN, etc.). But no banking site that I’ve ever seen has a password generator.
Why do banks matter? I’m not about to directly compare WordPress to Bank of America or Wells Fargo. But if some of the most complex & secure web applications out there don’t include password generators, I have to wonder why WordPress would include one.
Why doesn’t everyone create strong passwords?
While I can’t answer that question with any research or statistics, I’ll throw out a few possibilities:
- Too lazy to comprise and/or remember them
- Don’t understand the importance of strong passwords (or the potential threat)
- Don’t know how to create strong passwords
For those whom are too lazy, I think generating a secure password for them is basically useless. They won’t write it down. They won’t spend any time to remember it. And they’ll probably just get frustrated next time they go to login.
For those whom don’t understand the importance, they need education. WordPress is not in the security education business, and I doubt they ever will be.
For those whom don’t know how to create strong passwords, they also need education, and a little feedback on what’s secure & what’s not. An improved password strength meter provides that feedback, but they should get the education elsewhere.
Even though WordPress is not in the security education business, they already do their part to help users create a strong password. The following statement is displayed next to the password strength meter:
Hint: The password should be at least seven characters long. To make it stronger, use upper and lower case letters, numbers and symbols like ! ” ? $ % ^ & ).
The only recommendation I would make to improve upon this would be to link out to an article or resource for creating strong passwords. I could see a small text link appended to the existing message (similar to below). There are tons of generators out there.
What about requiring strong passwords?
If we require all users to have strong passwords, we’ll run into the issue of users forgetting them all the time. And if a site admin has to use the “Forgot Password?” link every time they need to login to their site, we’re making it harder for them to publish content.
I’m not saying, as WordPress devs, that we should never require this. In some cases, with some sites and/or certain clients, this makes sense. When those cases are met, there’s a plugin that will do exactly what we need: Force Strong Passwords. But this functionality should remain a plugin, not be introduced to core.
Question of Security
It’s mainly a question of security. WordPress certainly has a responsibility to keep its platform secure. But it’s main goal is to provide a platform that allows people to publish information quickly & easily.
The plugin being considered for addition to the core, Simple User Password Generator, works well for what it does. But I don’t see it adding any additional layers of security to a WordPress install.
It auto-generates a strong password when a new user is created, and (if selected) will send that password to the user’s email (which, most devs would probably agree, is a security risk in-and-of-itself). Most users are going to change that password to something much easier for them to remember. And the plugin even gives you the option to include this message on the Dashboard when the new user logs in. However, now there is no way to predict, restrict, force, etc. the user to create a new strong password. It’s entirely up to them.
For the short period before the user logs in for the first time, a secure password will be in place. But a secure one could’ve easily been created by the admin in the first place. It might’ve taken an extra 10 seconds, but the admin could create something that is strong AND memorable… so maybe the new user would not feel the need to change it, thus leaving them with a strong password.
If you auto-generate something they’ll never remember, they’re more likely to create a new, NOT-SO-STRONG password.
As mentioned on WP Tavern, there is no way to generate a strong password on the profile.php page. In many cases, this essentially erases the hard work that the plugin did in the first place, because the new user will create a new, less-secure password.
If a password generator were added to the profile.php page, wouldn’t you need a way for the user to be able to see the password? If they can’t see it, how will they be able to remember it when they login next time? To me, a password generator on profile.php is basically useless if it doesn’t provide a way for the user to see their password once it’s created.
Another UI Element
Adding a password generator creates another UI element (albeit a small one) to the WordPress admin.
WordPress has recently been eliminating options from its UI, or consolidating settings onto fewer pages.
- Removed the “Links” top-level menu item on new installs. It’s still available to add back in as a plugin.
- Moved the “Privacy Settings” to the “Settings” > “Reading” screen, eliminating the old privacy page that only had one option on it.
- Removed the option to Enable/Disable XML-RPC services from the “Settings” > “Writing” page, making it enabled by default.
With fewer options & settings to worry about, writers can more quickly start doing what they set out to do… write. That’s why they installed WordPress in the first place.
You can’t protect everyone
Adding a password generator is a small step towards a larger concept of trying to protect everyone. As with any industry, or any problem that exists in our world, we can’t please everyone. We can’t save everyone. And we can’t protect everyone. Even the amazingly mighty, all-powerful WordPress can’t protect everyone.
Other services that handle security
There are many other services that handle security, and all WordPress users have the option to use these services, alongside WordPress, if they choose. Many of them have WordPress plugins or integrations that make them easy to install & configure. But I think it’s not WordPress’ place to get any more involved in the password business than they already are.
And other security-focused services like sucuri.net that provide malware scanning & firewall protection for many different platforms, not just WordPress. Or CloudFlare, who offers protection at the DNS level.
With great power comes responsibility
WordPress puts the power in the hands of its users. Not to say this is the only reason WordPress has become so popular & widely used, but it’s certainly one of the reasons. And anytime you give someone great power, they automatically assume great responsibility. WordPress users are no different.
Once we start closing off the WordPress platform (and I say “we” because it’s open source software, and we are all responsible for its development, whether or not we contribute to core) and forcing restrictions and/or settings on our users, we take away some of that power, and WordPress becomes less useful.
A password generator (or limiting login attempts or forcing strong passwords) may seem like small improvements to keep WordPress safe, but I’m afraid they are small steps in the wrong direction for the future of WordPress.