With the release of WordPress 4.3, WordPress’ developers have put an end to the problematic practice of emailing passwords to users when they request a new password. The default behavior is now to send a reset link to the user’s email account. In this article, I’d like to discuss why this change is a significant positive move for WordPress users.
What’s wrong with sending passwords via email? The obvious problem is that the password is clearly readable to anyone who has access to the email account, and given that users rarely delete email — often simply archiving it — the password will be available to snoopers for as long as it’s valid.
In general, WordPress does the right things where passwords are concerned. WordPress stores hashes of the password and not the password itself. Hashing is a mathematical function that produces a fixed length string when given another string as input. It’s (practically) impossible to get from the hash back to the password. And the same password will always produce the same hash. When a WordPress user enters their password, the site simply runs it through the same algorithm and the same hash will result, which can be compared to hash in the database. Even if an attacker steals the database of hashes, there’s not much they can do with them unless they have a super computer and several decades to spare.
WordPress could email passwords to users because that step was done after the passwords were generated and before they were hashed and stored.
Rather than emailing passwords, WordPress sites will now email a password reset link instead. The user has to follow the link and create a new password on the site. It might not be immediately obvious why this is better. After all, if the user’s email account has been breached, the attacker has access to the reset link.
But the benefits of using the password reset link are clear:
- It can only be used once — if the password is in the user’s email account, it can be accessed at any time, even months after the password reset.
- It works for a limited period of time — If the user doesn’t reset their password by following the link, it will stop working after a short period of time.
The consequences of changing to a password reset link radically reduce the opportunity presented to an attacker. They’d have to be very lucky to be looking at the account just as the reset link comes in. It doesn’t reduce the risk to zero, but if the user’s email account is breached, they have bigger problems than their WordPress logins.
The change from emailing passwords to emailing reset links increases the security of WordPress sites and their users — it’s a welcome change.