How does WordFence know if a password is weak?

  • Resolved ashkanahmadi

    (@ashkanahmadi)


    1 year, 6 months ago

    Hi

    When I scan my website, I get this message (replaced username and role with XXX):

    User “XXX” with ‘XXX’ access has a very easy password.
    Type: Insecure Password

    How does WordFence know that it’s a very easy password if the password is stored in an ecrypted format in the db?

    Thanks

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @ashkanahmadi, thanks for your message.

    Dictionary words, common phrases, and exposed passwords from data breaches can be compared from their plain text version against a WordPress hashed password by using WordPress’ password functions. Notably, wp_check_password() can do this without exposing the encrypted password back to us or anybody else. If a password matches with anything considered insecure then they will be flagged for your attention.

    Thanks,
    Peter.

    Thread Starter ashkanahmadi

    (@ashkanahmadi)

    Thank you. That clarifies it.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘How does WordFence know if a password is weak?’ is closed to new replies.