[cPanel-News] cPanel News Bulletin January 2008 - Password Strength
Eric Gregory
eric at cpanel.net
Fri Jan 25 01:02:28 CST 2008
Minimum Password Strength Checking
======================================
A new feature introduced in build 18673 is a minimum password strength
check, found in the Security Center. This feature allows an
administrator to define a minimum password strength threshold. Passwords
that do not meet the threshold are rejected, both at the client and
system levels. Once enabled, the check is applied to nearly every
function and feature within WHM and cPanel that allows setting or
changing of passwords.
To Enable
------------
By default, no minimum password strength checking is performed. The
Javascript meters will still gauge the 'effective' strength of a
password, but cPanel/WHM will not prevent changing or setting a password
to a weak value. To enable minimum password strength checking, an
administrator would use the Password Strength Configuration utility
found in the Security Center within WHM.
The Password Strength Configuration tool allows setting a global Default
strength minimum, applied to all password modification and setting
functions. In addition, the following fine-grained, Individual
thresholds can be set:
Mailing Lists
Email Accounts
FTP Accounts
System/cPanel Accounts
PostgreSQL Accounts
SSH Keys
WebDisk/WebDAV Accounts
cPAddon/Site Software Installs
Account Creation
MySQL Users
Bandmin Access
Each of the above can either be stipulated, or allowed to inherit the
global Default strength minimum.
Note: the System/cPanel Accounts threshold is enforced when changing the
password for an existing account, including the root account. This
differs from the Account Creation threshold, which determines the
threshold used during account creation.
It is possible to set only an Individual check. For example, an
administrator could determine that all system accounts must have a
minimum password strength of 70, while no others, including the global
strength minimum, is enforced. This is done by setting a threshold value
for:
o System/cPanel Accounts
o Account Creation
but leaving all other options, including the Default, unchecked.
The password strength minimums can also be set manually in
/var/cpanel/cpanel.config using one or more of the following directives:
minpwstrength=##
minpwstrength_bandmin=##
minpwstrength_cpaddons=##
minpwstrength_createacct=##
minpwstrength_ftp=##
minpwstrength_list=##
minpwstrength_mysql=##
minpwstrength_passwd=##
minpwstrength_pop=##
minpwstrength_postgres=##
minpwstrength_sshkey=##
minpwstrength_webdisk=##
where minpwstrength represents the global strength minimum and ##
represents a numerical value.
The value used should be from 1 to 100, inclusive. This value
corresponds to the numerical rating used by the Javascript password
strength meters in X3 and WHM, which measures the effectiveness of a
password on a percentile scale. The closer to 100 the value is, the more
complex, or strong, a password must be to meet the requirement.
When set using the WHM interface, values larger than 100 can be
specified but are rounded down to 100. Assigning a negative value sets
the value to 0. Other values are rounded to the nearest 5 or 10 (e.g. 24
becomes 25; 72 becomes 70). Setting the values manually in cpanel.config
allows one to set values such as 33 or 115, with no real benefit. As
mentioned, the values are percentiles. Thus specifying a value such as
115 effectively sets a threshold that can never be reached as no
password can match higher than 100%. Since the the rating criteria in
the Javascript password strength meter assigns rank in values of 5 and
10, a minimum strength of 33 is the same, for measurement purposes, as 35.
To Disable
------------
As with enabling password strength checking, disabling the checks can be
done at the Default and Individual level. If the Default threshold is
set, however, the Individual thresholds cannot be truly disabled. In
such cases, setting the Individual threshold to a low value should suffice.
For example, if the Default threshold is set to 70 and an administrator
wants to disable SSH Key generation passphrase checking, the SSH Key
individual threshold should be set to 1. Setting the value to 0 is the
same as specifying 'inherit,' likewise with un-checking the box next to
SSH Key in the Password Strength Configuration WHM interface.
Removing the entry for an Individual threshold from
/var/cpanel/cpanel.config is the same as setting it to 'inherit.'
To fully disable Password Strength enforcement, one therefore needs to
consider both the Default and Individual thresholds. Both threshold
levels need un-checked to disable all enforcement.
Scope of Enforcement
-------------------------
Once enabled, the Javascript password meters are updated to set their
base 'OK' rating to the value stipulated in the Password Strength
Configuration tool. This is either the Default value, or the Individual
option when set. When the Default, or Individual, value is not set, the
base value for an 'OK' password rating is 50. Thus, if a value is set to
70, a password must be rated at least 70 before the password meter
grants it an 'OK' rating.
As mentioned, once enabled, nearly any password set or changed
there-after, must meet the minimum rating as stipulated by the Default,
or Individual, setting. This includes passwords for Mailman, MySQL
virtual users, FTP accounts, cPAddons, etc. The only password not
affected is one generated for Password Protected Directories. Thus, even
root passwords must meet the minimum strength, along with passphrases
for SSH Keys.
The strength check is not performed against existing passwords, only to
new passwords. Hence a user could have a weak password, and continue
using it. Once the user attempts to change the password, and the Default
or System/cPanel threshold is set, the new password must meet the
minimum criteria.
Issues that Can Arise
-------------------------
What this means in practice is there is more opportunity for confusion,
error and problems. X3 and WHM were examined in detail to ensure each
worked properly with the new feature. However, non-X3 themes were not
updated for this feature. For example, those still using X will
experience issues since there is no method of communicating minimum
password strength via a non-X3 theme. This also means users of 3rd party
themes/skins, such as RVSkins, will likely experience issues.
Timing can cause issues. For example, if an administrator applies the
Default minimum while an end user is adding an Addon domain, the
password meter will check the password strength using the old value, but
when the FTP Account is added, it will use the new Default threshold
value, possibly causing the FTP Account creation to fail.
Javascript can cause issues. If a user has Javascript disabled, or is
using a browser that has a poor Javascript implementation, the client
side checks can be futile, resulting in the user submitting passwords
that don't meet the minimum criteria, then being rejected by the system.
Users of 3rd party software may not benefit from the Password Strength
check. If the software uses cPanel APIs to perform actions, then the
minimum password checks will be enforced. However, if they use their own
internal mechanisms, then minimum password strength is not applied. For
example, Fantastico uses its own functions for creating database users,
hence the MySQL User threshold is not enforced.
Applications that automate account creation often include random
password generation. Some also allow the end user to supply the
password. The functions within such software will need updated to
properly handle password threshold enforcement. When Password Strength
thresholds are enabled, weak passwords are not allowed during account
creation via XML-API, or /scripts/wwwacct. Nor are they allowed via
other cPanel/WHM API functions, when the appropriate threshold is enabled.
It is anticipated that setting minimum password strength will result in
higher support calls, at least initially, both to cPanel and to our
customer's support systems, until users and 3rd party applications
adjust to the sweeping changes this feature brings.
What cPanel Recommends
--------------------------
Before enabling this feature, it is recommended a system administrator
fully consider the impact such enforcement will have on his user base
and support system. The analysis should consider the following, at minimum:
1. Users must be using the X3 theme. The password threshold is enforced
against all users of cPanel, regardless of skin or theme used. However,
only X3 provides the necessary tools to inform the user of the threshold
requirements.
2. 3rd party software integrated with cPanel/WHM. Specifically any that
create passwords.
3. Custom scripts and applications written by the system admin, or employer.
4. The Default, or Individual, password strength minimum to require.
Since the Default minimum is enforced against nearly all passwords
created, making the minimum too high can alienate some users. People
often tend to act similar to water: find the path of least resistance.
Making the minimum password requirement too stringent often encourages a
user to find one password that meets this requirement, and then use it
every time a password is required by cPanel. The same reasoning applies
to the Individual thresholds.
To help off-set this, on each form that accepts passwords, a Generate
Password button is placed. The passwords generated by this button will
generally be rated 90+. These passwords will give an idea of what is
required in a strong password. These are useful for training purposes as
well as practical.
Values between 50 and 80 are recommended as a starting point during the
analysis portion of implementation. Based upon full analysis of your
particular requirements, you might find that range adequate, or adjust
it accordingly.
5. End user communication is vital in this process. Informing users of
the changes and how it will impact their use of cPanel before such
changes are enforced is very much recommended. Directing users to the
Generate Password button will help educate users and allay fears of
constructing a strong password. For companies with many servers,
staggered, or staged, deployment is likewise recommended, in order to
lessen the burden on internal support systems.
More information about the News
mailing list