The password protected posts will soon get an upgrade in their protection. A 12-year old ticket has finally been brought to a closure with the upcoming WordPress 4.7 release. The ticket requested an increase in the password length for protected posts. And now, users will be able to create passwords that are up to 255 characters in length as opposed to the 20 characters that we were allowed previously.
The debate on whether password length matters in security has gone on and on for a long while. We’re taught to make more complex passwords and even websites show 8-character long complex passwords as strong. This dilemma has been carefully handled in this TechNet blog post by Microsoft. Password length undoubtedly tops complexity as complex short passwords make for lesser possibilities in the key-space. A post by Crambler comprehensively explains the nuances of having longer passwords instead of shorter complex ones.
Additionally, passphrases are easier to remember. Gary Pendergast, a core committer in WordPress said, “Longer passwords and passphrases are much more common than when post passwords were introduced all those eons ago, so let’s increase the length of the post_password field from 20 to 255 characters.” Users commonly like to view the passwords, thus the passwords will continue to be stored in plain text.
However, the changes in password length are only for password protected posts. There are other boundaries for WordPress user passwords going up to 1000 characters should you desire it.