Password plugin allows weak passwords

I have just installed and tested the Set Password plugin and it allowed the setting of username
tester1
and a spassword of
qwerty

I can't imagine how any developer could imagine this would be acceptable.
Surely there should be some sort of minimum requirements built into the plugin to prevent such ridiculously weak details to be used.

I used a password tester on this account and it was cracked in under 2 seconds.
This plugin is completely useless in its present form and should be removed from the WPMU inventory as anyone using it is at great risk of their user accounts being compromised.

  • Adam Czajczyk

    Hello Joe,

    I hope you're well today and thank you for pointing this out.

    The "Set Password" plugin is actually used quite rarely by members and is kept available as long as its working well as a"legacy" plugin meaning that no new features will be implemented and it will not be developed.

    The only exception in development is everything security related. As this cannot be considered a bug but rather a matter of security standards, it's obviously important so thank you for pointing that out. I''ll report this to our developers and hopefully they'll be able to improve this soon.

    Best regards,
    Adam

  • joe

    Thanks for the reply Adam.
    Can I repeat my assertion that this plugin should be removed from the WPMU inventory as anyone using it is at great risk of their user accounts being compromised.

    I thought allowing qwerty as a password was shocking, but this plugin allows even weaker passwords than that.

    With Wordpress one of the most widely probed and attacked software on the internet, surely WPMU should not be contributing to potential break-ins by having such a weak plugin available?

  • Adam Czajczyk

    Hello Joe!

    Thanks for your feedback.

    I'm not in a position to decide whether the plugin will or will not be removed but I'll surely pass that suggestion to my bosses. I cannot promise anything here but I agree with your point on security risk.

    That said, I'm really not able to tell whether the plugin will be removed or just updated but I'm pretty sure it will be taken care of.

    Kind regards,
    Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.