Steve Taylor photo

Force Strong Passwords for WordPress 3.7

The upcoming 3.7 release of WordPress is getting a new password strength meter, using the zxcvbn library from Dropbox.

It’s a great improvement. However, my Force Strong Passwords plugin is based on replicating the JavaScript password strength check in PHP. And zxcvbn.js is 683 KB (minified). I’m simply not going to be able to convert this to PHP, and I can’t see anyone else taking the challenge on.

So what I’m doing is adding some JavaScript for 3.7+ which simply passes the results of the client-side strength meter through to the server for the enforcement check. This should be fine. Of course, a tech-savvy user could manually bypass the check. But without a PHP port of zxcvbn, I think this’ll have to do.

The new version isn’t up on the wordpress.org repository yet, but you can download it from GitHub. If anyone’s using the beta of 3.7, do please give it a whirl and let me know if there’s any issues. Any other feedback regarding this development is also most welcome.