Password strength meets limits but fails

[pcgh]

One of my users brought to my attention an interesting item.... I have WHM set to enforce a password strength of 65 across the board for every item.

If the user goes into their cPanel and tries to create an email account using a password in the following pattern:

aaaa+aaaa#

a = lower case alpha character (same as above example)
+ = special character "+"
# = a number (e.g. "5")

So they try to use a password something like this: bnhg+ijyf2

The "Password Strength" indicator will show a strength of 82 / 100 and turns green. However, when the user then tries to create the account it returns an error saying, "Sorry, the password you selected cannot be used because it is too weak and would be too easy to crack. Please select a password with strength rating of 65 or higher."

What's up with that? Any ideas? TIA!

Tony

cPanel / WHM Version: cPanel 11.24.4-S36281 - WHM 11.24.2 - X 3.9

[cpanelkenneth]

Quote:

Originally Posted by pcgh

One of my users brought to my attention an interesting item.... I have WHM set to enforce a password strength of 65 across the board for every item.

If the user goes into their cPanel and tries to create an email account using a password in the following pattern:

aaaa+aaaa#

a = lower case alpha character (same as above example)
+ = special character "+"
# = a number (e.g. "5")

So they try to use a password something like this: bnhg+ijyf2

The "Password Strength" indicator will show a strength of 82 / 100 and turns green. However, when the user then tries to create the account it returns an error saying, "Sorry, the password you selected cannot be used because it is too weak and would be too easy to crack. Please select a password with strength rating of 65 or higher."

What's up with that? Any ideas? TIA!

Tony

cPanel / WHM Version: cPanel 11.24.4-S36281 - WHM 11.24.2 - X 3.9

Was your server ever on EDGE?

[pcgh]

Thank you for the reply, Kenneth. No it was not - it has always been on the stable track although it is a relatively new installation having just been setup in the last month or so.

Tony

[bhappy]

Hi,

we have some of our clients complaining on the same issue on cPanel 11.24.4-RELEASE_36167. Password strength is set to 70 and cPanel doesn't let them to reset a password even when a strength meter shows 80.

Thanks.

[Spiral]

Sounds like you may have uncovered a bug ...

If the code running the password checks doesn't match up to the
code used in password generation scoring, they may have an issue.
I would think they would call the same functions but maybe not.

I have not observed the problem in EDGE which is what we use
but I will try to see if I can duplicate the issue.

As for you guys on STABLE and RELEASE, I would strongly advise
you both moving up to CURRENT.

STABLE is often far too old to be of much use and is the most
prone to new exploits and attack methods and lacks new
features and capabilities and in some respects dangerous.

RELEASE is only slightly better but not by much.

CURRENT you get the updates for bug fixed reasonably quickly,
most of the new features, and security updates.

EDGE I don't recommend except for seasoned experts like myself
who are capable for handling unexpected issues. This channel
will give you all the very latest features and the fastest route
for updates and ironically bug fixes but at the same time could
have more unexpected issues to deal with too.

[cpanelkenneth]

This is an issue fixed in cPanel 11.25 ( EDGE ). In 11.24 and prior versions the server side checks were not governed by the same algorithm as the client side checks. cPanel 11.25 harmonizes these into a unified system.

[pcgh]

Kenneth - Thanks for the update. Will look forward to that trickling down to the other versions.

Spiral - I reckon we may have to consider switching to the CURRENT release. Many years ago we had some problems when using the newer builds and switched to STABLE simply to help avoid problems. But, as I say, that was years ago so it is probably time to move to try the more recent updates.

Thanks!

Tony

[gmm6797]

Quote:

Originally Posted by cpanelkenneth

This is an issue fixed in cPanel 11.25 ( EDGE ). In 11.24 and prior versions the server side checks were not governed by the same algorithm as the client side checks. cPanel 11.25 harmonizes these into a unified system.

Is there any ETA as to when this will hit the CURRENT builds?

[cpanelkenneth]

Quote:

Originally Posted by gmm6797

Is there any ETA as to when this will hit the CURRENT builds?

The full feature set for 11.25 still hasn't merged into EDGE. Once that happens then migration to CURRENT will depend upon how quickly EDGE 'calms down.'