Can you please implement a better password strength checker for more secure passwords.
Have a look here: xkcd: Password Strength
Basically, cPanel doesn't recognize a password like "correct battery horse staple" (as in the example) since it doesn't have mixed case, numbers or punctuation. Yet this password is far more secure than a 8 or 10 digit non-pronounceable, and often non-rememberable password which users forget and have to write down in anycase.
According to How Secure Is My Password?, "correct battery horse staple" will take "About 54 octillion years" to hack,
whereas a "secure password" like "y85q_QMS" will take "About 57 day", or a password like "xO]JF!XrV7bd" will take "About 77 million years" to hack.
The last one is more secure, but much more difficult to remember, and as such users loose / forget them and constantly need to reset their passwords, or simply ignore the password generator's passwords and use their own much weaker passwords.
With the feature that I'm suggesting it would be easy to get users to use 4 totally random, but easy to remember passwords instead.
Original thread: http://forums.cpanel.net/f145/better-password-strength-checker-case-59375-a-237902.html
I like this idea 
The negitave points system is bad!
aaabb => 11/100
aaabbbaaa => 0/100
The second one is stronger then the first one…
An extra letter sould add to the score be it 0.000001 or 5 points
This one sould get at least a score of 30/100 :)
aaabbbaaaaaaaaaaabbababbababbbabbabbbbabbaabbabbbababbaabbbbbbbbbabbabbbbabbb
This one souldn't get a score of 30 :
105 => 33% !
Something needs to be done, as the current password strength verifier prevents good passwords and allows very bad ones.
105423 => 66% !
The negitave points system is bad!
aaabb => 11/100
aaabbbaaa => 0/100
The second one is stronger then the first one…
An extra letter sould add to the score be it 0.000001 or 5 points
This one sould get at least a score of 30/100 :)
aaabbbaaaaaaaaaaabbababbababbbabbabbbbabbaabbabbbababbaabbbbbbbbbabbabbbbabbb
This one souldn't get a score of 30 :
105 => 33% !
Something needs to be done, as the current password strength verifier prevents good passwords and allows very bad ones.
105423 => 66% !
I want to set a minimum strength since on a shared server the security is only as good as the weakest link.
But I also think long passwords with spaces are much better than hard to remember passwords with numbers and symbols.
This is an easy to fix problem that is currently preventing me from using cPanel because I know people will just go and use the same password they use for everything as you can only remember one or three gibberish passwords and many people don't use a password manager.
I want to set a minimum strength since on a shared server the security is only as good as the weakest link.
But I also think long passwords with spaces are much better than hard to remember passwords with numbers and symbols.
This is an easy to fix problem that is currently preventing me from using cPanel because I know people will just go and use the same password they use for everything as you can only remember one or three gibberish passwords and many people don't use a password manager.
Here's an example of a good password strength meter implementation (MIT licensed): https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/
A good password measurement system is especially important in cPanel, because it's also what's used for password restrictions. Personally, I'd like to be able to get more granular with password limitations by setting rules like "must be at least [x] characters" or "may not be in a given list".
The current meter rewards poor passwords and penalizes good ones.
Here's an example of a good password strength meter implementation (MIT licensed): https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/
A good password measurement system is especially important in cPanel, because it's also what's used for password restrictions. Personally, I'd like to be able to get more granular with password limitations by setting rules like "must be at least [x] characters" or "may not be in a given list".
The current meter rewards poor passwords and penalizes good ones.
Here's a recommended way to check password strength :
http://en.wikipedia.org/wiki/Password_strength#NIST_Special_Publication_800-63
1st character : 4 bits
next 7 characters : 2 bits/character
characters 9-20 : 1.5 bits/character
characters 21+ : 1 bit / character
If both upper case and non alpha characters : +6 bits
If password is less than 19 characters, run dictionnary check and if no words are found : +6 bits
Maybe add things like if the same password is entered twice only add 1 or 2 bits for the whole second instance of the password, do not reduce the value of the first one.
You could then allow admins to define what entropy is 100% (strong) with a default of maybe 50 being 100% ?
There shouldn't be any negitave scores, adding letters doesn't reduce the difficuly to find a password.
Here's a recommended way to check password strength :
http://en.wikipedia.org/wiki/Password_strength#NIST_Special_Publication_800-63
1st character : 4 bits
next 7 characters : 2 bits/character
characters 9-20 : 1.5 bits/character
characters 21+ : 1 bit / character
If both upper case and non alpha characters : +6 bits
If password is less than 19 characters, run dictionnary check and if no words are found : +6 bits
Maybe add things like if the same password is entered twice only add 1 or 2 bits for the whole second instance of the password, do not reduce the value of the first one.
You could then allow admins to define what entropy is 100% (strong) with a default of maybe 50 being 100% ?
There shouldn't be any negitave scores, adding letters doesn't reduce the difficuly to find a password.
I've just come accross a good password strength validator :
https://github.com/dropbox/zxcvbn
It's currently used by dropbox
https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/
We will be analysing it for use in our new clients area too.
I've just come accross a good password strength validator :
https://github.com/dropbox/zxcvbn
It's currently used by dropbox
https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/
We will be analysing it for use in our new clients area too.
I'm trying to change to a password that consists of more than 50 characters, some of which are letters and punctuation, but the password score is 0 so I can't use it. Is there anyway to circumvent the strength requirement because I know that this is a d*mn secure password?
I'm trying to change to a password that consists of more than 50 characters, some of which are letters and punctuation, but the password score is 0 so I can't use it. Is there anyway to circumvent the strength requirement because I know that this is a d*mn secure password?
Disable it in WHM and reenable it afterwards. This rearly needs some work doing to it.
While ZXCVBN isn't perfect and some weak passwords show as strong, it's much better than cPanel's current password checker, and that's why it's used by scripts like WordPress.
Disable it in WHM and reenable it afterwards. This rearly needs some work doing to it.
While ZXCVBN isn't perfect and some weak passwords show as strong, it's much better than cPanel's current password checker, and that's why it's used by scripts like WordPress.
bro i tried to crack cpanel but i didn't get it due to false password, could you please add me on yahoo messenger mgmteam@yahoo.com so you can put me through.. i really appreciate it
bro i tried to crack cpanel but i didn't get it due to false password, could you please add me on yahoo messenger mgmteam@yahoo.com so you can put me through.. i really appreciate it
Hello,
We've just had a case where we were unable to set a password for a customer who chose 6 random words from the dictionary. We tried disabeling the password strength but still had to change the password because even set at 0 it would not allow us to create the password saying it had to be at least 5%.
In the end we had to remove 3 words from the password so we could create it.
When a password strength tool prevents you from using more secure passwords and forces you to use less secure passwords something needs to be done.
Hello,
We've just had a case where we were unable to set a password for a customer who chose 6 random words from the dictionary. We tried disabeling the password strength but still had to change the password because even set at 0 it would not allow us to create the password saying it had to be at least 5%.
In the end we had to remove 3 words from the password so we could create it.
When a password strength tool prevents you from using more secure passwords and forces you to use less secure passwords something needs to be done.
I have also found that long password always seem to be penalized over short passwords.
Surely these rules need some updating.
I have also found that long password always seem to be penalized over short passwords.
Surely these rules need some updating.
Bill Burr who created the original password standards in 2003 says he got it wrong. Basically a password like “Tr0ub4dor&3” can be cracked in three days but a password like “correcthorsebatterystaple” would take a computer 550 years to crack. Take a look here ideal password
Bill Burr who created the original password standards in 2003 says he got it wrong. Basically a password like “Tr0ub4dor&3” can be cracked in three days but a password like “correcthorsebatterystaple” would take a computer 550 years to crack. Take a look here ideal password
I think cPanel would be doing its users a disservice if they don't update their password strength configuration advice to reflect the contemporary thinking in password format and strength.
The new recommendations of NIST would seem to form an excellent reference resource. See
I think cPanel would be doing its users a disservice if they don't update their password strength configuration advice to reflect the contemporary thinking in password format and strength.
The new recommendations of NIST would seem to form an excellent reference resource. See
We configured our website to use ZXCVBN last year, we just used it to calculate the password entropy and set our own thresholds (higher than the default ones). We run it in the browser (to have instant password level updates) and with a simple nodejs script run in command line with php's exec function on server site to enforce the password strength.
We've had no complaints from customers and have increased the global security of our customer's passwords.
We configured our website to use ZXCVBN last year, we just used it to calculate the password entropy and set our own thresholds (higher than the default ones). We run it in the browser (to have instant password level updates) and with a simple nodejs script run in command line with php's exec function on server site to enforce the password strength.
We've had no complaints from customers and have increased the global security of our customer's passwords.
I currently have some users mail accounts passwords hacked because the password strength calculator is allowing them to write their mail usernames, or domains in password, especially when have 1 (is just 1) special character. Ex.: If you just put myname.surname in the password field it consider as strength 100!
Please this is already being exploited. We urgently need a better password strength enforcer.
I currently have some users mail accounts passwords hacked because the password strength calculator is allowing them to write their mail usernames, or domains in password, especially when have 1 (is just 1) special character. Ex.: If you just put myname.surname in the password field it consider as strength 100!
Please this is already being exploited. We urgently need a better password strength enforcer.
Replies have been locked on this page!