Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Problems with "dictionary based" passwords

Discussion in 'General Discussion' started by orish, Jul 28, 2011.

  1. orish

    orish Registered

    Jul 28, 2011
    Likes Received:
    Trophy Points:
    Hi, this is a repeat of an old thread that was closed but so far as I can tell never resolved.

    I've tried to change my password to something like 387chesterfield$... but cpanel tells me that this isn't possible because it is based on a dictionary word. Well, I can't find chesterfield in the dictionary, or any of the other names or made-up words that I use for the password... but previously, when I went into WHM via the root/superuser, I was able to change the password to anything I wanted for a web account.

    What's going on, and why can't I override the no dictionary word restriction?

    Can you please explain how to configure cpanel (after all, I'm the only one going in to change passwords for any user account, so I should be able to choose any password I like - and interestingly, it will let me change the password to "12" telling me that it is very weak, but it won't let me choose a more complex password based on some memorable word or name).

    Alternatively, how can I issue a "password" shell command directly, or via the root user? The WHM interface is different from before, and I can't find where to change passwords for website accounts.

    Many thanks!
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Hello :)

    The message regarding the use of a dictionary word is an OS-level restriction, and the error is provided by the backend/OS (cPanel just displays the failure reason for you). In other words, your OS is not happy with the complexity of the password so it refused to use it.

    This is controlled here on CentOS:

    While you are welcome to manually edit the above file at your own risk, we can't support trying to subvert the default security settings of your OS to provide a less secure experience. Instead, we can only advise that you adjust the password strength configuration found at:

    "WHM >> Security Center >> Configure Security Policies"

    Thank you.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. DanH42

    DanH42 Active Member

    Sep 11, 2011
    Likes Received:
    Trophy Points:
    Bloomington, IL
    cPanel Access Level:
    Root Administrator
    This is absolutely silly. "387chesterfield$" is MUCH more secure than "12". This comic explains the situation quite well. Reminding your users that the password they want is insecure isn't a problem, but restricting their ability to use passwords that THEY know are secure is outright foolish. The password "correcthorsebatterystaple" is based on FOUR dictionary words, but would take FOREVER to brute-force, while "e$2*06iO" could be guessed relatively quickly.
    Thanks to all the restrictions, passwords have gotten easier and easier to guess as more and more passwords get blacklisted. "Password must contain at least 7 characters consisting of a lower and uppercase letter, and a number" may sound like it keeps out insecure passwords, but when a hacker reads that, they see "When attacking this site, you don't have to bother trying passwords like 75jih86kh, p8Ui&, or YYOIJ7I9".
    #3 DanH42, Sep 11, 2011
    Last edited: Sep 11, 2011

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice