Webmail password strength bug

Lethe

Member
Jun 17, 2017
10
2
3
Here
cPanel Access Level
Website Owner
Hello,

While trying to access webmail (cPanel -> Mail accounts -> webmail) for a specific account, I get the following:
Your password does not meet the strength requirements, you must change it now to avoid having your account compromised.​

Since I have multiple clients using IMAP, I'd rather not reset the password to break them then get blocked for failed logins. So I decide to try to enter the old password as new password. Of course, it won't let me and asks for a new password.

However, when entering the old password as the new one, the strength is "Strong" with 87/100.

So why is it forcing me to change the password because of strength requirements all the while claiming it's strong enough?

cPanel version: 70.0 (build 48)

Any help appreciated.
 

Lethe

Member
Jun 17, 2017
10
2
3
Here
cPanel Access Level
Website Owner
Since I can't edit this post (claims it's spam):
I reset the password through WHMCS, and it worked. I still get the same prompt in webmail though.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,252
313
Houston
Hi @Lethe

Can you tell me what you have set for Password Strength at WHM>>Security Center >>Password Strength Configuration? A screenshot of the UI would be helpful.

Thanks!
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,252
313
Houston
Hi @Lethe

Thank you for that, I'm trying to understand why you would get that notification on an existing account (so I can attempt to replicate the issue) so please bear with me. Which if any security policy Items do you have enabled at WHM>>Security Center>>Configure Security Policies

Thanks!
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,252
313
Houston
Hi @Lethe

Thank you again. I'm trying to replicate the password strength discrepancy but finding I'm unable to. I've set the password strength to default (65) and I've enabled the password strength security policy. I then went to log in to one of my accounts which has a password weaker than 65 and it re-routed me to the interface with to change my password. The only thing is, I couldn't get it to fail or not allow a password which met the strength requirements.