The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Trivially weak passwords are permitted. - why issue

Discussion in 'Security' started by postcd, Sep 12, 2014.

  1. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    621
    Likes Received:
    6
    Trophy Points:
    18
    The security advisor (Home »Security Center »Security Advisor)

    says:
    i have strength 10 in Home »Security Center »Password Strength Configuration

    i thought there is a cphulk enabled which prevent excessive password guessing, so why i should worry having allowed this lower level of password complexity?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,713
    Likes Received:
    658
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    cPHulk is designed to help prevent brute force attacks, but it does not prevent someone from attempting them, and is not a replacement for good security practices. Using a strong password increases the number of login attempts it takes to crack a password.

    Thank you.
     
  3. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    Because Hackers now employ distributed slow brute force attacks which if I am am not mistaken cphulk does not defend against this. Michael can confirm or deny this if its true

    Best to install csf & enable distributed attack protection

    even though you customers may not like it you have to protect them from their own stupidity
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,713
    Likes Received:
    658
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Yes, it's true that someone could just attempt a low number of logins per hour and not trigger a block from cPhulk. The "Scenario" section in our cPHulk documentation page explains this:

    cPHulk Brute Force Detection

    It's one of several reasons why strong passwords should always be used.

    Thank you.
     
Loading...

Share This Page