Fix password generation algorithm / password meter

Gary Stanley shared this idea 5 months ago
Open Discussion

The backend password generation API / password entropy verification should be improved, and based on entropy and/or NIST Guidelines for passwords.

For example:

  • We do not check anything against a dictionary file like the linux passwd() program which makes what users would consider 'weak' actually 'strong'
  • Y#$Hf[gd is considered a medium password strength
  • Y#$Hf[gdddddddddd is considered 'low', even though there's clearly more entropy.
  • Setting password enforcement to 100/100 and then using a password with 3 letters, 4 numbers and a ! provides 100, such as abc1234! <-- clearly not secure.

Potential Solutions:

  • Seed entropy from /dev/urandom since most modern processors/OS provide sufficient amounts of it
  • Allow fine grained password configuration (ie: limit x/y/z, block z/y/x)
  • Use a dictionary file to hint towards entropy

Comments (10)

photo
4

The negitave points system is bad!

aaabb => 11/100

aaabbbaaa => 0/100

The second one is stronger then the first one…

An extra letter sould add to the score be it 0.000001 or 5 points

This one sould get at least a score of 30/100 :)

aaabbbaaaaaaaaaaabbababbababbbabbabbbbabbaabbabbbababbaabbbbbbbbbabbabbbbabbb

This one souldn't get a score of 30 :

105 => 33% !

Something needs to be done, as the current password strength verifier prevents good passwords and allows very bad ones.

105423 => 66% !

photo
1

I want to set a minimum strength since on a shared server the security is only as good as the weakest link.

But I also think long passwords with spaces are much better than hard to remember passwords with numbers and symbols.

This is an easy to fix problem that is currently preventing me from using cPanel because I know people will just go and use the same password they use for everything as you can only remember one or three gibberish passwords and many people don't use a password manager.

photo
1

Here's an example of a good password strength meter implementation (MIT licensed): https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/

A good password measurement system is especially important in cPanel, because it's also what's used for password restrictions. Personally, I'd like to be able to get more granular with password limitations by setting rules like "must be at least [x] characters" or "may not be in a given list".

The current meter rewards poor passwords and penalizes good ones.

photo
3

Here's a recommended way to check password strength :

http://en.wikipedia.org/wiki/Password_strength#NIST_Special_Publication_800-63

1st character : 4 bits

next 7 characters : 2 bits/character

characters 9-20 : 1.5 bits/character

characters 21+ : 1 bit / character

If both upper case and non alpha characters : +6 bits

If password is less than 19 characters, run dictionnary check and if no words are found : +6 bits

Maybe add things like if the same password is entered twice only add 1 or 2 bits for the whole second instance of the password, do not reduce the value of the first one.

You could then allow admins to define what entropy is 100% (strong) with a default of maybe 50 being 100% ?

There shouldn't be any negitave scores, adding letters doesn't reduce the difficuly to find a password.

photo
1

I've just come accross a good password strength validator :

https://github.com/dropbox/zxcvbn

It's currently used by dropbox

https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/

We will be analysing it for use in our new clients area too.

photo
2

I'm trying to change to a password that consists of more than 50 characters, some of which are letters and punctuation, but the password score is 0 so I can't use it. Is there anyway to circumvent the strength requirement because I know that this is a d*mn secure password?

photo
1

Disable it in WHM and reenable it afterwards. This rearly needs some work doing to it.

While ZXCVBN isn't perfect and some weak passwords show as strong, it's much better than cPanel's current password checker, and that's why it's used by scripts like WordPress.

photo
1

bro i tried to crack cpanel but i didn't get it due to false password, could you please add me on yahoo messenger mgmteam@yahoo.com so you can put me through.. i really appreciate it

photo
3

Hello,

We've just had a case where we were unable to set a password for a customer who chose 6 random words from the dictionary. We tried disabeling the password strength but still had to change the password because even set at 0 it would not allow us to create the password saying it had to be at least 5%.

In the end we had to remove 3 words from the password so we could create it.

When a password strength tool prevents you from using more secure passwords and forces you to use less secure passwords something needs to be done.

photo
1

I have also found that long password always seem to be penalized over short passwords.

Surely these rules need some updating.