cPanel Password Strength Meter

[lvt]

Hi all,

I have integrated sevaral cPanel APIs in my web application (database, ftp, email, domain...) and I have an issue with the cPanel password strength meter, if the password entered by my clients is not strong enough (<60%) the application will fail, so I need to add a similar password strength meter to my application.

I've tested some of them but the problem is that the results aren't always identical with cPanel's own password strength meter, sometimes the scrores are higher, sometimes they are lower.

Anyone of you currently has a solution for this issue ? Thanks for any information.

[cPanelMatt]

DISCLAIMER:

This involves mucking with things that are not actually an API in cpanel, it is subject to change. You implement this with full understanding that future patch, minor or major version updates can break this functionality.


The passwordstrength system is all based off of a cgi script that is available for usage.

This script is located at /backend/passwordstrength.cgi

It takes a single posted parameter of "password" which contains the password

it return a very basic JSON datastructure containing a single entry called "strength" which will indicate the numerical strength for the password.

f.ex:

Code:

curl -k -uusername:password -d 'password=z0mgUlTR$As3Cur3!!' https://localhost:2083/backend/passwordstrength.cgi
{ "strength": 100 }

[cPanelMatt]

Just as a heads up, I've added this as an API2 & XML-API call in 11.32, it will be out in a few months.

[elektrastudio]

Hello.

Can you, by _any_ chance, can be considering the following information when building the algorithm for the strenght meter? https://www.grc.com/haystack.htm

I just tried a long, padded, password, and after 36~40 characters the strenght drops to zero.
And the results are not consistent across trials or when using it on WHM or cPanel.

On another light: Can I build my own checker or tweak the existing one?
Is there any way to make my changes persistent across updates?

Thank you.

[cPanelDavidG]

Hello.

Can you, by _any_ chance, can be considering the following information when building the algorithm for the strenght meter? https://www.grc.com/haystack.htm

I just tried a long, padded, password, and after 36~40 characters the strenght drops to zero.
And the results are not consistent across trials or when using it on WHM or cPanel.

Just an off-topic head's up, suggestions for modifying the strength algorithm are being discussed at: http://forums.cpanel.net/f145/better...er-237902.html

[Paulieb81]

I would definitely love to see a better password checker added but I also would love to see other websites / webapps follow suit in understanding that complexity is not the same as security as noted in the above articles. Great links BTW. Thank you