WordPress 4.3 encourages users to strengthen their passwords, making their websites more secure. It comes with some updates on the way passwords are chosen and handled.
When creating a new user WordPress automatically generates a strong password by default, which is hidden. To show it you’d have to click on the “Show password” button. That takes an extra step and should you keep away from using a manual – typically weaker – password.
The same process applies if you want to change your password from the
Your Profile screen. instead of showing you textfields to type in your new password WordPress now shows a “Generate password” button. Clicking it generates a secure password for you.
Of course you can override this setting and create your own password. If you want to use a password that WordPress classifies as “Very weak” or “Weak” you have to confirm that you want to use it anyway.
The strong auto-generated passwords and also the need of confirmation to use a weak password are a very useful tools to sensitize users in using better passwords to make WordPress driven websites less vulnerable to brute force attacks.
Another important change to improve security is, that WordPress no longer sends emails containing a password. If you forget your password, WordPress will instead send you a reset password link which will expire after 24 hours.
Furthermore WordPress now uses a plain text field to change the generated password. This reduces typos and makes the second confirmation redundant.
This may alos also interest you: Do not give away your username as a present to hackers.