[cPanel-News] cPanel News Bulletin January 2008 - Password Strength

[Eric Gregory]

Minimum Password Strength Checking
======================================

A new feature introduced in build 18673 is a minimum password strength 
check, found in the Security Center. This feature allows an 
administrator to define a minimum password strength threshold. Passwords 
that do not meet the threshold are rejected, both at the client and 
system levels. Once enabled, the check is applied to nearly every 
function and feature within WHM and cPanel that allows setting or 
changing of passwords.


To Enable
------------

By default, no minimum password strength checking is performed. The 
Javascript meters will still gauge the 'effective' strength of a 
password, but cPanel/WHM will not prevent changing or setting a password 
to a weak value. To enable minimum password strength checking, an 
administrator would use the Password Strength Configuration utility 
found in the Security Center within WHM.

The Password Strength Configuration tool allows setting a global Default 
strength minimum, applied to all password modification and setting 
functions. In addition, the following fine-grained, Individual 
thresholds can be set:

Mailing Lists
Email Accounts
FTP Accounts
System/cPanel Accounts
PostgreSQL Accounts
SSH Keys
WebDisk/WebDAV Accounts
cPAddon/Site Software Installs
Account Creation
MySQL Users
Bandmin Access

Each of the above can either be stipulated, or allowed to inherit the 
global Default strength minimum.

Note: the System/cPanel Accounts threshold is enforced when changing the 
password for an existing account, including the root account. This 
differs from the Account Creation threshold, which determines the 
threshold used during account creation.

It is possible to set only an Individual check. For example, an 
administrator could determine that all system accounts must have a 
minimum password strength of 70, while no others, including the global 
strength minimum, is enforced. This is done by setting a threshold value 
for:

  o System/cPanel Accounts
  o Account Creation

but leaving all other options, including the Default, unchecked.

The password strength minimums can also be set manually in 
/var/cpanel/cpanel.config using one or more of the following directives:

minpwstrength=##
minpwstrength_bandmin=##
minpwstrength_cpaddons=##
minpwstrength_createacct=##
minpwstrength_ftp=##
minpwstrength_list=##
minpwstrength_mysql=##
minpwstrength_passwd=##
minpwstrength_pop=##
minpwstrength_postgres=##
minpwstrength_sshkey=##
minpwstrength_webdisk=##

where minpwstrength represents the global strength minimum and ## 
represents a numerical value.

The value used should be from 1 to 100, inclusive. This value 
corresponds to the numerical rating used by the Javascript password 
strength meters in X3 and WHM, which measures the effectiveness of a 
password on a percentile scale. The closer to 100 the value is, the more 
complex, or strong, a password must be to meet the requirement.

When set using the WHM interface, values larger than 100 can be 
specified but are rounded down to 100. Assigning a negative value sets 
the value to 0. Other values are rounded to the nearest 5 or 10 (e.g. 24 
becomes 25; 72 becomes 70). Setting the values manually in cpanel.config 
allows one to set values such as 33 or 115, with no real benefit. As 
mentioned, the values are percentiles. Thus specifying a value such as 
115 effectively sets a threshold that can never be reached as no 
password can match higher than 100%. Since the the rating criteria in 
the Javascript password strength meter assigns rank in values of 5 and 
10, a minimum strength of 33 is the same, for measurement purposes, as 35.


To Disable
------------

As with enabling password strength checking, disabling the checks can be 
done at the Default and Individual level. If the Default threshold is 
set, however, the Individual thresholds cannot be truly disabled. In 
such cases, setting the Individual threshold to a low value should suffice.

For example, if the Default threshold is set to 70 and an administrator 
wants to disable SSH Key generation passphrase checking, the SSH Key 
individual threshold should be set to 1. Setting the value to 0 is the 
same as specifying 'inherit,' likewise with un-checking the box next to 
SSH Key in the Password Strength Configuration WHM interface.

Removing the entry for an Individual threshold from 
/var/cpanel/cpanel.config is the same as setting it to 'inherit.'

To fully disable Password Strength enforcement, one therefore needs to 
consider both the Default and Individual thresholds. Both threshold 
levels need un-checked to disable all enforcement.


Scope of Enforcement
-------------------------

Once enabled, the Javascript password meters are updated to set their 
base 'OK' rating to the value stipulated in the Password Strength 
Configuration tool. This is either the Default value, or the Individual 
option when set. When the Default, or Individual, value is not set, the 
base value for an 'OK' password rating is 50. Thus, if a value is set to 
70, a password must be rated at least 70 before the password meter 
grants it an 'OK' rating.

As mentioned, once enabled, nearly any password set or changed 
there-after, must meet the minimum rating as stipulated by the Default, 
or Individual, setting. This includes passwords for Mailman, MySQL 
virtual users, FTP accounts, cPAddons, etc. The only password not 
affected is one generated for Password Protected Directories. Thus, even 
root passwords must meet the minimum strength, along with passphrases 
for SSH Keys.

The strength check is not performed against existing passwords, only to 
new passwords. Hence a user could have a weak password, and continue 
using it. Once the user attempts to change the password, and the Default 
or System/cPanel threshold is set, the new password must meet the 
minimum criteria.


Issues that Can Arise
-------------------------

What this means in practice is there is more opportunity for confusion, 
error and problems. X3 and WHM were examined in detail to ensure each 
worked properly with the new feature. However, non-X3 themes were not 
updated for this feature. For example, those still using X will 
experience issues since there is no method of communicating minimum 
password strength via a non-X3 theme. This also means users of 3rd party 
themes/skins, such as RVSkins, will likely experience issues.

Timing can cause issues. For example, if an administrator applies the 
Default minimum while an end user is adding an Addon domain, the 
password meter will check the password strength using the old value, but 
when the FTP Account is added, it will use the new Default threshold 
value, possibly causing the FTP Account creation to fail.

Javascript can cause issues. If a user has Javascript disabled, or is 
using a browser that has a poor Javascript implementation, the client 
side checks can be futile, resulting in the user submitting passwords 
that don't meet the minimum criteria, then being rejected by the system.

Users of 3rd party software may not benefit from the Password Strength 
check. If the software uses cPanel APIs to perform actions, then the 
minimum password checks will be enforced. However, if they use their own 
internal mechanisms, then minimum password strength is not applied. For 
example, Fantastico uses its own functions for creating database users, 
hence the MySQL User threshold is not enforced.

Applications that automate account creation often include random 
password generation. Some also allow the end user to supply the 
password. The functions within such software will need updated to 
properly handle password threshold enforcement. When Password Strength 
thresholds are enabled, weak passwords are not allowed during account 
creation via XML-API, or /scripts/wwwacct. Nor are they allowed via 
other cPanel/WHM API functions, when the appropriate threshold is enabled.

It is anticipated that setting minimum password strength will result in 
higher support calls, at least initially, both to cPanel and to our 
customer's support systems, until users and 3rd party applications 
adjust to the sweeping changes this feature brings.


What cPanel Recommends
--------------------------

Before enabling this feature, it is recommended a system administrator 
fully consider the impact such enforcement will have on his user base 
and support system. The analysis should consider the following, at minimum:

1. Users must be using the X3 theme. The password threshold is enforced 
against all users of cPanel, regardless of skin or theme used. However, 
only X3 provides the necessary tools to inform the user of the threshold 
requirements.

2. 3rd party software integrated with cPanel/WHM. Specifically any that 
create passwords.

3. Custom scripts and applications written by the system admin, or employer.

4. The Default, or Individual, password strength minimum to require. 
Since the Default minimum is enforced against nearly all passwords 
created, making the minimum too high can alienate some users. People 
often tend to act similar to water: find the path of least resistance. 
Making the minimum password requirement too stringent often encourages a 
user to find one password that meets this requirement, and then use it 
every time a password is required by cPanel. The same reasoning applies 
to the Individual thresholds.

To help off-set this, on each form that accepts passwords, a Generate 
Password button is placed. The passwords generated by this button will 
generally be rated 90+. These passwords will give an idea of what is 
required in a strong password. These are useful for training purposes as 
well as practical.

Values between 50 and 80 are recommended as a starting point during the 
analysis portion of implementation. Based upon full analysis of your 
particular requirements, you might find that range adequate, or adjust 
it accordingly.

5. End user communication is vital in this process. Informing users of 
the changes and how it will impact their use of cPanel before such 
changes are enforced is very much recommended. Directing users to the 
Generate Password button will help educate users and allay fears of 
constructing a strong password. For companies with many servers, 
staggered, or staged, deployment is likewise recommended, in order to 
lessen the burden on internal support systems.