Mass password change for all cPanel accounts?

mm1250

Well-Known Member
Nov 10, 2006
108
0
166
Hello,

I have a server with about 200ish cPanel accounts and I need to do a mass password change. Is there an easy way to accomplish this without having to update them 1-by-1?
 

kbuser

Well-Known Member
Aug 25, 2008
66
2
58
I'm not aware of any built in functionality to do this, but you could write a script to do it using the xml-api.

Are the passwords going to be unique entered on a case by case basis, all the same (bad idea), or something unique but random?
 

mohit

Well-Known Member
Jul 12, 2005
553
0
166
Sticky On Internet
with the wide spread of iframe attacks and users keeping stupid passwords i think a feature like password policy which forces users to change their password once a month old would be great.

This would certainly enhance the security of accounts.
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,212
13
313
Houston, TX
cPanel Access Level
Root Administrator
with the wide spread of iframe attacks and users keeping stupid passwords i think a feature like password policy which forces users to change their password once a month old would be great.

This would certainly enhance the security of accounts.
This functionality is currently being considered for implementation. Internal Case 33582.
 

mohit

Well-Known Member
Jul 12, 2005
553
0
166
Sticky On Internet
thanks for sharing the info.

Everytime we get a complaint for iframe injected account its mostly the case of leaked password, either the client used infected system, hates anti-virus thinking it will slow down his computer, or he accessed ftp using a public access (cafe, etc) but never cares to change his password.

with such a feature it will certainly force users to have better security cause.

Minimum cpanel password strength would ensure he avoids simple passwords.
and compulsary change would ensure that if his reseller provided him with password like website123, its changed whenever he's prompted.

lastly if the feature includes a option in root whm to "force this user to change password on next logon" it will go a extra mile in security.

Thanks again for the information.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
79
458
cPanel Access Level
Root Administrator
Minimum cpanel password strength would ensure he avoids simple passwords.
It is already possible to specify a minimum password strength for various passwords. Look for the feature WHM's security center.

and compulsary change would ensure that if his reseller provided him with password like website123, its changed whenever he's prompted.
cPanel 11.25.1 will have a password aging feature. Once enabled and configured it will force the user to change the password after the day threshold is met.
[/quote]

lastly if the feature includes a option in root whm to "force this user to change password on next logon" it will go a extra mile in security.

Thanks again for the information.
That is not under consideration at this time.
 

DomineauX

Well-Known Member
PartnerNOC
Apr 12, 2003
429
11
168
Houston, TX
cPanel Access Level
Root Administrator
cPanel 11.25.1 will have a password aging feature. Once enabled and configured it will force the user to change the password after the day threshold is met.
Just curious..how do you force them?
Will it warn them that failing to choose a new password will lock the account or something?
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
79
458
cPanel Access Level
Root Administrator
Just curious..how do you force them?
Will it warn them that failing to choose a new password will lock the account or something?
After successful authentication, and before displaying the cPanel interface, user is presented a Change Password page.

If user attempts to cancel the password change, he is logged out of cPanel.

Hence once password age threshold is met or exceeded the user must change his password before being able to access cPanel.

The interfaces are still in flux, but will inform the user why he is being forced to change his password and why he cannot bypass the request.
 

Infopro

Well-Known Member
May 20, 2003
17,085
518
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Important cPanel/WHM Version Number Designation Change

Please Note: Important cPanel/WHM Version Number Designation Change

As of July 28, 2010 the cPanel/WHM version number designations have been officially changed.

Version 11.25.1 is now designated 11.28 and version 11.25.2 is now designated 11.30.

These new changes were explained in some detail recently at the July 2010 - Quarterly Road map - Webinar direct from cPanel's PodCast Studio in Houston, Texas with speakers David Grega and Mario Rodriguez.

An official press release about these changes is forthcoming and can be accessed at this link as soon as it's made available to the Forum Team:
Important cPanel/WHM Version Number Designation Change (To be updated)

This post serves to update users who are subscribed to threads (where this message is posted) looking forward to upcoming enhancements in future versions of cPanel.
 

Host4u2

Well-Known Member
Mar 24, 2002
247
0
316
When and where in cPanel/WHM, will "Forced Password Change" be available?

The bank forces you to change password every 90 days before logging in. How hard is it to force a password change for users on a cpanel account, like every 90 days, or whenever the admin decides is a good time to do it?

I believe this is an important security measure in today's web environment!
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,212
13
313
Houston, TX
cPanel Access Level
Root Administrator
When and where in cPanel/WHM, will "Forced Password Change" be available?

The bank forces you to change password every 90 days before logging in. How hard is it to force a password change for users on a cpanel account, like every 90 days, or whenever the admin decides is a good time to do it?

I believe this is an important security measure in today's web environment!
This is currently in version 11.27 which will become version 11.28 when it is production worthy.

To configure this, go to WHM -> Security Center -> Configure Security Policies. Check the checkbox for Password Age. The default setting for maximum password age is 90 days. That's all you will need to do to force cPanel/WHM users to change their passwords periodically.

I also recommend enabling the other security policies as well: "Limit logins to verified IP Addresses" and "Password Strength."
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
79
458
cPanel Access Level
Root Administrator
When and where in cPanel/WHM, will "Forced Password Change" be available?

The bank forces you to change password every 90 days before logging in. How hard is it to force a password change for users on a cpanel account, like every 90 days, or whenever the admin decides is a good time to do it?

I believe this is an important security measure in today's web environment!
In addition to the functionality David mentioned, cPanel 11.28 will allow a forced password change. This is provided via the Force Password Change interface in WHM. All users, or only select users, can be forced to change their password at next login.
 

Infopro

Well-Known Member
May 20, 2003
17,085
518
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
In addition to the functionality David mentioned, cPanel 11.28 will allow a forced password change. This is provided via the Force Password Change interface in WHM. All users, or only select users, can be forced to change their password at next login.
This is great news. Set stronger password requirements, and then force all users to set a new password. :)

Some won't be happy I'll bet, but it'll help security wise for sure.