The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problems with "dictionary based" passwords

Discussion in 'General Discussion' started by orish, Jul 28, 2011.

  1. orish

    orish Registered

    Joined:
    Jul 28, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hi, this is a repeat of an old thread that was closed but so far as I can tell never resolved.

    I've tried to change my password to something like 387chesterfield$... but cpanel tells me that this isn't possible because it is based on a dictionary word. Well, I can't find chesterfield in the dictionary, or any of the other names or made-up words that I use for the password... but previously, when I went into WHM via the root/superuser, I was able to change the password to anything I wanted for a web account.

    What's going on, and why can't I override the no dictionary word restriction?

    Can you please explain how to configure cpanel (after all, I'm the only one going in to change passwords for any user account, so I should be able to choose any password I like - and interestingly, it will let me change the password to "12" telling me that it is very weak, but it won't let me choose a more complex password based on some memorable word or name).

    Alternatively, how can I issue a "password" shell command directly, or via the root user? The WHM interface is different from before, and I can't find where to change passwords for website accounts.

    Many thanks!
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The message regarding the use of a dictionary word is an OS-level restriction, and the error is provided by the backend/OS (cPanel just displays the failure reason for you). In other words, your OS is not happy with the complexity of the password so it refused to use it.

    This is controlled here on CentOS:

    Code:
    /etc/pam.d/system-auth
    While you are welcome to manually edit the above file at your own risk, we can't support trying to subvert the default security settings of your OS to provide a less secure experience. Instead, we can only advise that you adjust the password strength configuration found at:

    "WHM >> Security Center >> Configure Security Policies"

    Thank you.
     
  3. DanH42

    DanH42 Active Member

    Joined:
    Sep 11, 2011
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Bloomington, IL
    cPanel Access Level:
    Root Administrator
    This is absolutely silly. "387chesterfield$" is MUCH more secure than "12". This comic explains the situation quite well. Reminding your users that the password they want is insecure isn't a problem, but restricting their ability to use passwords that THEY know are secure is outright foolish. The password "correcthorsebatterystaple" is based on FOUR dictionary words, but would take FOREVER to brute-force, while "e$2*06iO" could be guessed relatively quickly.
    Thanks to all the restrictions, passwords have gotten easier and easier to guess as more and more passwords get blacklisted. "Password must contain at least 7 characters consisting of a lower and uppercase letter, and a number" may sound like it keeps out insecure passwords, but when a hacker reads that, they see "When attacking this site, you don't have to bother trying passwords like 75jih86kh, p8Ui&, or YYOIJ7I9".
     
    #3 DanH42, Sep 11, 2011
    Last edited: Sep 11, 2011
Loading...

Share This Page