The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

a way to test cpanel and/or email passwords for complexity in a script?

Discussion in 'Security' started by florenceit, Mar 2, 2012.

  1. florenceit

    florenceit Member

    Joined:
    Jan 11, 2010
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Hi

    is there any way to do this? lately ive been experiencing a lot of hacked passwords and recently turned on password complexity for the server.

    I am hoping there is some way I can test all passwords for cpanel and/or email for complexity requirements so I can work with the largest offenders first.


    from my reading i see there is a api call but im not a programmer.

    does anyone have anything like this?

    thank you!!
     
  2. Brian

    Brian Well-Known Member

    Joined:
    Dec 1, 2010
    Messages:
    117
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    cPanel, email, and most 3rd party script passwords are stored as an md5 hash. Given its one-way encryption, there's no way you would be able to (reasonably) determine what someone's password is to then determine its complexity.

    You can, however, force your users to set passwords of a specified complexity when they're setting/changing them.

    Please read: Configure Security Policies

    It sounds like you've already done this, though.

    Once the passwords are set, you're out of luck for determining their strength score. So, you may need to at least initially force all of your users to reset their passwords to be assured of their compliance with your chosen minimum complexity.

    For non-WHM/cPanel/email logins (3rd party scripts), you'd be left up to whatever solutions that 3rd party script provides (or writing your own solution).
     
  3. florenceit

    florenceit Member

    Joined:
    Jan 11, 2010
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    thanks this is excellent. no i haven't done it yet . I do not wish to permanently (yet) force people to change passwords every so often as I expect this will generate a lot of complaints... but i'm thinking that i could set passwords to force to be changed via policy every say 2 months. once everyone changes and I have the password strength setting already turned on they will forced to use and change to more complex password. Then i could shut off the policy force change every 2 months once i get the password changes i need.. sounds workable?

    Important question though, so I can warn my users: how will they be notified or prompted to change their passwords for the various services: cpanel, email, ftp ? will they just fail with an error on the last day? redirect them to a page to update the password or anything like that? I'm worried about how much customer support I might have to provide all at once. obviously I'll notify the users myself but some people surely wont read the email or something and will be caught by surprise. inevitably.

    thanks!

    Matt
     
Loading...

Share This Page