Overview
Password management is consistently a topic of interest amongst a wide range of users, from System Administrators managing entire data centers to cPanel users operating a website or two.
Multiple services support password authentication on cPanel & WHM servers. Users authenticate with passwords to access email, FTP, MySQL databases, cPanel, Web Host Manager, WordPress, and more. Keeping the authentication credentials secure for all of these accounts is often a job unto itself.
How are passwords compromised?
System security is always a moving target - just as technology evolves attackers evolve as well, so having tools in place both at the user level and the server level will help minimize the risk of a compromise. Since end users are often the ones working most closely with the system and websites; it's worth taking a moment to mention the security of a user's workstation. Keylogging malware, where a user's keystrokes are tracked and transmitted back to a remote attacker, is one of the most common ways for passwords to be compromised. The best way to avoid this issue is to utilize the following combination:
1. Ensure users with access to your server have up to date antivirus and anti-malware software installed on their local machines. This will help reduce the success these types of attack tools have on your users.
2. Limit the users that have access to your server using tools like WHM >> Host Access Control (Host Access Control - Version 78 Documentation - cPanel Documentation) so users can only access specific resources on your system.
Create Strong Passwords
While it's not feasible to closely monitor every user's password selection, cPanel & WHM does offer some tools that give you control over password strength. You can use WHM >> Password Strength Configuration (Password Strength Configuration - Version 78 Documentation - cPanel Documentation) to set the minimum strength of the passwords on the system, with 0 being the least secure option and 100 being the most secure option. Setting the password strength here will ensure that any passwords a user creates with the "Generate" button in the various cPanel interfaces will be at least this strong. The image below shows a strong password being created for an email account using the "GENERATE" button:
Once you have configured this in WHM, users will not be able to enter a password that is less than the specified minimum required strength. We recommend setting this value to at least 40 to ensure strong passwords are utilized on the system. Strong passwords include a combination of upper and lowercase letters, numbers, and special characters.
Another important aspect of keeping passwords secure is using unique passwords for all of your accounts. While it may be tempting to use one password to access multiple accounts or services, if that password were to be compromised you would need to consider all the places you use that password as potentially compromised as well.
For an additional level of security you can enable Two-Factor Authentication for your users. This requires them to not only use a password but also a temporary security code. With this option enabled the user enters their password, then a code is sent to their smartphone that is also entered into the interface. This way if the password is compromised it still can't be used to login as the attacker would also need the security code.
Third-Party Password Management Applications
We hope the days of using a sticky note under a keyboard are behind us, but remembering the passwords to all your accounts can be challenging, if not impossible.
Fortunately there are modern password solutions to store your passwords. Tools like LastPass, 1Password, or KeePass make it easy to track and organize all of your passwords. I do need to mention that cPanel & WHM isn't affiliated with and doesn't endorse any one of those particular tools. Most of these applications work in a similar fashion - storing all of your passwords on the machine but providing you access to them all with one master password. The tools run either through a local app on a device, a program that runs in the background on a computer, or a browser extension. All you have to do is remember your master password and the tools take care of the rest. Some applications will even handle addresses and credit card numbers for personal use so you can use them beyond normal computer or server administrative tasks.
Sharing Passwords - Do's and Dont's
This is always a contentious issue for System Administrators, but there may be times when you need to reset and provide a password to an end user. The key to doing this securely would be to avoid any transmission method that risks the data being sent over plain text. These methods would include insecure emails, text messages, and instant messenger applications.
In general, don't - it's best not to provide passwords manually through any means. Instead, you should encourage users to keep their contact information updated (through cPanel >> Contact Information) so password resets can be performed directly from the cPanel login screen if that becomes necessary. NOTE: If the user doesn't have a valid contact email address the cPanel password reset screen will create a randomly generated email to fill that text box.
Additional Questions/Feedback
Feel free to click on the Discussion tab to let us know if you have any questions or feedback about the information in this tutorial.
Password management is consistently a topic of interest amongst a wide range of users, from System Administrators managing entire data centers to cPanel users operating a website or two.
Multiple services support password authentication on cPanel & WHM servers. Users authenticate with passwords to access email, FTP, MySQL databases, cPanel, Web Host Manager, WordPress, and more. Keeping the authentication credentials secure for all of these accounts is often a job unto itself.
How are passwords compromised?
System security is always a moving target - just as technology evolves attackers evolve as well, so having tools in place both at the user level and the server level will help minimize the risk of a compromise. Since end users are often the ones working most closely with the system and websites; it's worth taking a moment to mention the security of a user's workstation. Keylogging malware, where a user's keystrokes are tracked and transmitted back to a remote attacker, is one of the most common ways for passwords to be compromised. The best way to avoid this issue is to utilize the following combination:
1. Ensure users with access to your server have up to date antivirus and anti-malware software installed on their local machines. This will help reduce the success these types of attack tools have on your users.
2. Limit the users that have access to your server using tools like WHM >> Host Access Control (Host Access Control - Version 78 Documentation - cPanel Documentation) so users can only access specific resources on your system.
Create Strong Passwords
While it's not feasible to closely monitor every user's password selection, cPanel & WHM does offer some tools that give you control over password strength. You can use WHM >> Password Strength Configuration (Password Strength Configuration - Version 78 Documentation - cPanel Documentation) to set the minimum strength of the passwords on the system, with 0 being the least secure option and 100 being the most secure option. Setting the password strength here will ensure that any passwords a user creates with the "Generate" button in the various cPanel interfaces will be at least this strong. The image below shows a strong password being created for an email account using the "GENERATE" button:
Once you have configured this in WHM, users will not be able to enter a password that is less than the specified minimum required strength. We recommend setting this value to at least 40 to ensure strong passwords are utilized on the system. Strong passwords include a combination of upper and lowercase letters, numbers, and special characters.
Another important aspect of keeping passwords secure is using unique passwords for all of your accounts. While it may be tempting to use one password to access multiple accounts or services, if that password were to be compromised you would need to consider all the places you use that password as potentially compromised as well.
For an additional level of security you can enable Two-Factor Authentication for your users. This requires them to not only use a password but also a temporary security code. With this option enabled the user enters their password, then a code is sent to their smartphone that is also entered into the interface. This way if the password is compromised it still can't be used to login as the attacker would also need the security code.
Third-Party Password Management Applications
We hope the days of using a sticky note under a keyboard are behind us, but remembering the passwords to all your accounts can be challenging, if not impossible.
Fortunately there are modern password solutions to store your passwords. Tools like LastPass, 1Password, or KeePass make it easy to track and organize all of your passwords. I do need to mention that cPanel & WHM isn't affiliated with and doesn't endorse any one of those particular tools. Most of these applications work in a similar fashion - storing all of your passwords on the machine but providing you access to them all with one master password. The tools run either through a local app on a device, a program that runs in the background on a computer, or a browser extension. All you have to do is remember your master password and the tools take care of the rest. Some applications will even handle addresses and credit card numbers for personal use so you can use them beyond normal computer or server administrative tasks.
Sharing Passwords - Do's and Dont's
This is always a contentious issue for System Administrators, but there may be times when you need to reset and provide a password to an end user. The key to doing this securely would be to avoid any transmission method that risks the data being sent over plain text. These methods would include insecure emails, text messages, and instant messenger applications.
In general, don't - it's best not to provide passwords manually through any means. Instead, you should encourage users to keep their contact information updated (through cPanel >> Contact Information) so password resets can be performed directly from the cPanel login screen if that becomes necessary. NOTE: If the user doesn't have a valid contact email address the cPanel password reset screen will create a randomly generated email to fill that text box.
Additional Questions/Feedback
Feel free to click on the Discussion tab to let us know if you have any questions or feedback about the information in this tutorial.