Thoughts about the WordPress 3.7 password meter

Password crackers are getting smarter, but so are password strength evaluation tools.

Here’s agret Ars Technica article on cracking passwords in this day and age, recommended reading.

It can summarised roughly:

  • Password crackers have got significantly smarter by evaluating big junks of passwords
  • The password you thought was strong, necessarily is not, replacing some letters with number does not make it strong anymore
  • Modern computers running many GPUs can crack passwords easily
  • > …contains eight AMD Radeon HD7970 GPU cards. Running version 0.10 of oclHashcat-lite, it requires just 12 hours to brute force the entire keyspace for any eight-character password…

WpTavern has a good writeup on the new WordPress password evaluator.

The new WP 3.7 uses the DropBox developed zxcvbn (I had an epiphany while typing that) library to measure passwords real strength.

For example: Tr0ub4dour&3 is not good, but correcthorsebatterystaple is good.


The password crackers are getting better by evaluating big junks of password data, and finding repeatable patterns in them. Then improving their algorithms accordingly. But this not only benefits the crackers but also the password strength meters.

Club-Mate, the beverage →