cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Fix password generation algorithm / password meter

Gary Stanley shared this idea 4 years ago
Open Discussion

The backend password generation API / password entropy verification should be improved, and based on entropy and/or NIST Guidelines for passwords.

For example:


  • We do not check anything against a dictionary file like the linux passwd() program which makes what users would consider 'weak' actually 'strong'
  • Y#$Hf[gd is considered a medium password strength
  • Y#$Hf[gdddddddddd is considered 'low', even though there's clearly more entropy.
  • Setting password enforcement to 100/100 and then using a password with 3 letters, 4 numbers and a ! provides 100, such as abc1234! <-- clearly not secure.


Potential Solutions:


  • Seed entropy from /dev/urandom since most modern processors/OS provide sufficient amounts of it
  • Allow fine grained password configuration (ie: limit x/y/z, block z/y/x)
  • Use a dictionary file to hint towards entropy

Comments (14)

photo
4

The negitave points system is bad!


aaabb => 11/100

aaabbbaaa => 0/100


The second one is stronger then the first one…


An extra letter sould add to the score be it 0.000001 or 5 points


This one sould get at least a score of 30/100 :)


aaabbbaaaaaaaaaaabbababbababbbabbabbbbabbaabbabbbababbaabbbbbbbbbabbabbbbabbb


This one souldn't get a score of 30 :


105 => 33% !


Something needs to be done, as the current password strength verifier prevents good passwords and allows very bad ones.


105423 => 66% !

photo
1

I want to set a minimum strength since on a shared server the security is only as good as the weakest link.


But I also think long passwords with spaces are much better than hard to remember passwords with numbers and symbols.


This is an easy to fix problem that is currently preventing me from using cPanel because I know people will just go and use the same password they use for everything as you can only remember one or three gibberish passwords and many people don't use a password manager.

photo
1

Here's an example of a good password strength meter implementation (MIT licensed): https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/


A good password measurement system is especially important in cPanel, because it's also what's used for password restrictions. Personally, I'd like to be able to get more granular with password limitations by setting rules like "must be at least [x] characters" or "may not be in a given list".


The current meter rewards poor passwords and penalizes good ones.

photo
3

Here's a recommended way to check password strength :


http://en.wikipedia.org/wiki/Password_strength#NIST_Special_Publication_800-63


1st character : 4 bits

next 7 characters : 2 bits/character

characters 9-20 : 1.5 bits/character

characters 21+ : 1 bit / character

If both upper case and non alpha characters : +6 bits

If password is less than 19 characters, run dictionnary check and if no words are found : +6 bits


Maybe add things like if the same password is entered twice only add 1 or 2 bits for the whole second instance of the password, do not reduce the value of the first one.


You could then allow admins to define what entropy is 100% (strong) with a default of maybe 50 being 100% ?


There shouldn't be any negitave scores, adding letters doesn't reduce the difficuly to find a password.

photo
1

I've just come accross a good password strength validator :


https://github.com/dropbox/zxcvbn


It's currently used by dropbox


https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/


We will be analysing it for use in our new clients area too.

photo
2

I'm trying to change to a password that consists of more than 50 characters, some of which are letters and punctuation, but the password score is 0 so I can't use it. Is there anyway to circumvent the strength requirement because I know that this is a d*mn secure password?

photo
1

Disable it in WHM and reenable it afterwards. This rearly needs some work doing to it.


While ZXCVBN isn't perfect and some weak passwords show as strong, it's much better than cPanel's current password checker, and that's why it's used by scripts like WordPress.

photo
1

bro i tried to crack cpanel but i didn't get it due to false password, could you please add me on yahoo messenger mgmteam@yahoo.com so you can put me through.. i really appreciate it

photo
3

Hello,


We've just had a case where we were unable to set a password for a customer who chose 6 random words from the dictionary. We tried disabeling the password strength but still had to change the password because even set at 0 it would not allow us to create the password saying it had to be at least 5%.


In the end we had to remove 3 words from the password so we could create it.


When a password strength tool prevents you from using more secure passwords and forces you to use less secure passwords something needs to be done.

photo
1

I have also found that long password always seem to be penalized over short passwords.


Surely these rules need some updating.

photo
1

Bill Burr who created the original password standards in 2003 says he got it wrong. Basically a password like “Tr0ub4dor&3” can be cracked in three days but a password like “correcthorsebatterystaple” would take a computer 550 years to crack. Take a look here ideal password

photo
1

I think cPanel would be doing its users a disservice if they don't update their password strength configuration advice to reflect the contemporary thinking in password format and strength.

The new recommendations of NIST would seem to form an excellent reference resource. See

photo
2

We configured our website to use ZXCVBN last year, we just used it to calculate the password entropy and set our own thresholds (higher than the default ones). We run it in the browser (to have instant password level updates) and with a simple nodejs script run in command line with php's exec function on server site to enforce the password strength.


We've had no complaints from customers and have increased the global security of our customer's passwords.

photo
1

I currently have some users mail accounts passwords hacked because the password strength calculator is allowing them to write their mail usernames, or domains in password, especially when have 1 (is just 1) special character. Ex.: If you just put myname.surname in the password field it consider as strength 100!

Please this is already being exploited. We urgently need a better password strength enforcer.

Leave a Comment
 
Attach a file