Inspired by how Facebook assists their users when they log in, I decided to implement something like the same for WordPress.

The other day, I came across a tweet with a screenshot that indicates that Facebook does some interesting permutations of the supplied password when authorizing users:

I thought this was a brilliant idea, and wanted to see if I could implement something like this in WordPress. The result (so far) is some code that runs a few tests on the provided password and retests the password.

More exactly what this does, is when the user’s password fail, we try some permutations of the password, to correct for:

  • If a user inadverntently has caps lock enabled.
  • If their mobile device automatically capitalized the first character of the password.
  • If an extra character is added to the end of the password.
  • If an extra whitespace was added at the beginning or the end of the password.

So here’ the code I made as a proof of concept. It works with any properly coded hashing pluggables, like Roots’ WP Password bcrypt. You can just download this file and drop it in your mu-plugins directory.

Security implications

This has some theoretical effect on the security: We absolutely do not make passwords case-insensitive, but we do try an inverted case. So if your password is peiphaiL5Lee0cahL, we will also accept PEIPHAIl5lEE0CAHl, but we will not accept pEIPHAILLee0cahL. We will also accept a password with the first letter capitalized, in case your mobile phone “autocorrects” the first letter into PeiphaiL5Lee0cahL.

The extra character check and the whitespace trimming tests stronger versions than your passwords, so they have no practical implications of the password.

Password strength reduced to one third

This means that the maximum number of possible passwords within the realm of your password length have gone from 1 to 3. In worst case, it has tripled. In other terms, the strength of your password is at worst reduced to one third of what is was.

Brute-forcing strong passwords is a waste of time and resources

When automated bots try to brute-force your password, they are not trying every combination possible. They start with the easily available leaked lists of the most common passwords. Trying all possible passwords when people are using passwords of even just medium security strength is simply wasting time and resources.

One third of a gazillion is still a lot

The typical password contains characters from the letters a–z in lower and upper case, numbers, and symbols easily inserted from the keyboard:

abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
1234567890
§!"#$%&/()=+?@*<>,.-_

I assume “symbols easily inserted from the keyboard” will vary between keyboard locales, but these were the easiest to insert from my Norwegian Mac keyboard (in addition I’ll have 3 easily available Scandinavian letters: “æøåÆØÅ”).

But let’s stay with the 83 characters displayed above. For a password with the length of 12 characters, this gives us:
83^12 = 1.06890008e23 combinations.

If you’re able to test 10 passwords per second, it will take you up to about 338,945,991,053,593 years to brute-force that password (for simplicity not counting leap years).

If that password strengh is reduced to a third, it’ll give us
83^12 / 3 = 3.56300026e22 combinations

This means it will now “only” take just up to about 112,981,997,017,864 years to brute-force that password (still not counting leap years).

If that scares you, make it a requirement that passwords are at least 13 characters in length. Now it will take up to 9.37750575e15 years to brute-force the password – even when the strength is reduced to a third.

BTW: If you’re on a webhost that lets bots try 10 passwords per second for any substantial time, you need better hosting.

Is password assistance really needed?

I don’t know. Since Facebook is using it, I can assume that they have done their research on it. In my personal experience I know I have tapped in the “correct” password on my phone several times, but the authentication “somehow” failed.

Facts and hard numbers are anyway the best argument here. So my plan now is to gather statistics on whether the permutations would have helped anyone. Expect a follow-up post on this.

Isn’t using a password manager better?

Yes.

However, I suspect most people don’t. So while we educate everyone to use two-factor authentication, strong passwords and password managers, we might have to assist them a little.