Password Strength

[cwihost]

I know that Cpanel has the new password strength meters in the Cpanel accounts where passwords can be changed. However is there any Cpanel utility that can check existing passwords and email them if the password is insecure or not strong?

[cPanelDavidG]

Quote:

Originally Posted by cwihost

I know that Cpanel has the new password strength meters in the Cpanel accounts where passwords can be changed. However is there any Cpanel utility that can check existing passwords and email them if the password is insecure or not strong?

Not at this time, but perhaps you may want to put in a feature request for this at http://bugzilla.cpanel.net and paste a link here pointing to your feature request so others can vote on it and add themselves as CC.

[cPanelDavidG]

Quote:

Originally Posted by pilartorres

Hi,
Is it possible to setup a forgotten password link in the cpanel customer login?

Yes, in WHM -> Server Configuration -> Tweak Settings scroll down to the System section and check Allow cPanel users to reset their password via email. Don't forget to click save at the bottom of the page.

[webignition]

Quote:

Originally Posted by cwihost

I know that Cpanel has the new password strength meters in the Cpanel accounts where passwords can be changed. However is there any Cpanel utility that can check existing passwords and email them if the password is insecure or not strong?

For security reasons, I doubt this would be possible.

User passwords would have to be stored in plain text for them to be read and checked for strength. User passwords won't be stored in plain text, hence they cannot be read and checked for strength.

[cpanelkenneth]

There are third party utilities that can actually do this for you.

[sparek-3]

You wouldn't necessarily have to store the passwords in plain text. Just do a password strength check when the user logs into cPanel or Webmail.

I would like to see an option like this for Webmail because we have been running into a lot of problems with users using mail accounts with insecure passwords, and spammers guessing those passwords to get into webmail and use webmail on the account to send out mail.

A feature where the user logs into webmail, enters their username and password in the popup dialog box, the password strength checker checks the password. If it is below what the server administrator deems as a secure password, then the webmail user is not able to proceed any further.

I might recommend just providing a link for changing the password, but then that becomes counter-intuitive. A spammer logs into a webmail account, sees the message about the password being too insecure, so he just changes the password to something more secure and something that he will know. Then logs in again.

However, maybe you don't put the Change Password link in webmail. Maybe you force the webmail user to either contact the person who has control panel access and change the password there or force the user to change the password via the control panel.

You can do the same thing with control panel access, force the user to contact their hosting provider if their control panel password is insecure.

I should probably make an enhancement request for this, but I wasn't really sure how many people would find this feature useful.

[cPanelDavidG]

Quote:

Originally Posted by sparek-3

I should probably make an enhancement request for this, but I wasn't really sure how many people would find this feature useful.

It never hurts to create one on http://bugzilla.cpanel.net and post a link to your request here. I've seen requests, that I thought people would be uninterested with, acquire many votes and CC's.

[sparek-3]

I made an enhancement request. I'm not sure how many people will really be interested in something like this, but I think it might be an interesting feature and like you said, it never hurts.

http://bugzilla.cpanel.net/show_bug.cgi?id=6022

If you think this might be an interesting feature, please vote for the above enhancement request.

[Infopro]

I'm in. Anything we can do to force them into a stronger password I'd like to have.

[jpetersen]

Voted. This feature would be a great addition to cPanel/WHM. Hard to believe there's only 2 votes for this. I would think a lot more people in the cPanel community would like to see something which improves the security of their servers. It only takes a few moments to create a bugzilla account, visit the URL, and click the vote link.

For those that already have a bugzilla account and are cookied, here is the direct link to vote:
http://bugzilla.cpanel.net/votes.cgi...6022#vote_6022