WordPress 3.7 made big strides towards helping users create stronger passwords with the new password strength meter, powered by the zxcvbn library. Despite having this excellent tool available, many users have admitted that they are in fact too lazy to come up with a strong password and would prefer to have a password generator available within the WordPress admin.
Aaron Campbell opened a trac ticket on a related topic five years ago, requesting a button that generates a random password to use when creating a new user account in the admin section. Brad Williams chimed in on the original ticket to suggest the cPanel password generator as a good UI example of how WordPress might include this feature. The same idea was also presented by Ryan Duff two years ago in a post on the WordPress Ideas page. While the password strength meter is now active on this screen, you still need to create the password yourself.
Proposal to Add Simple User Password Generator to Core #
Several months ago, Pippin Williamson created a new ticket, proposing the inclusion of the Simple User Password Generator plugin, created by the folks at 10up, to accomplish this. This plugin also adds an option to encourage the user to change his password when logged in to the admin. It also has an option to send existing users the new, auto-generated password. It looks like this enhancement is on track to be included in WordPress 3.8.
More Password Wishlist Items #
The Simple User Password Generator plugin is excellent but it doesn’t take into account editing your own password at profile.php, which is just as important as setting up new user passwords. It would be helpful to include its capabilities on this screen for changing passwords.
Hopefully the new addition will be extensible so that other plugins can make use of it. It would be nice to be able to easily add this to BuddyPress front-end password management in the settings screen via a plugin.
Ultimately, maintaining a strong password is the responsibility of the user. Do you think that WordPress users would, on the whole, be better served with a built-in password generator? Given that there are already many third party services such as LastPass, 1password and others that can do this in the browser, should we be adding this to the core?