cPanel Password Requirements are outdated

[MisterAMD]

Why is it so asinine?

I don't understand why I can't use a password with several words in a nondescript phrase that only I understand compared to the h0r$3p00p 7hT !$ 7h!s m3$$, wh3n !7 hs b33N pr0v3n tht 7h3s3 typ3$ 0f ps$w0rds r3n'7 n7 m0r3 s3cur3.

See my point?

Case and point, the password generator that generates passwords on the cpanel site may be more secure from a standpoint of what was understood to be secure 5 years ago (or more) is not the case today when people are breaking into sites all the time.

I understand that Surpass implemented a policy to require strong passwords to keep people from getting their accounts hacked - but the problem wasn't with special characters missing, it was the content of said passwords being too insecure or too short. Requiring passwords to have a certain length with a capital or two thrown in for effect is more than sufficient.

My point, utilizing howsecureismypassword.net

a "supposedly secure" password:
Ps$w0rd$

It would take a desktop PC about 275 days to crack your password


Length: 9 characters
Character Combinations: 77
Calculations Per Second: 4 billion
Possible Combinations: 95 quadrillion


A similar password (in length and word variation) to the one I use now:

masticatedogweedwithinjuly

It would take a desktop PC about 48 quintillion years to crack your password


Length: 26 characters
Character Combinations: 26
Calculations Per Second: 4 billion
Possible Combinations: 6 undecillion


Further still, that same passphrase with spaces:

It would take a desktop PC about 14 decillion years to crack your password


Length: 31 characters
Character Combinations: 45
Calculations Per Second: 4 billion
Possible Combinations: 1 sexdecillion


I'm tired of being forced to use "secure" passwords when I have to end up writing them down, and it's being proven time and time again that "secure" passwords are not the ones that humans find it difficult to remember.

And yes, I work in IT, so I'm already familiar with using "leet speek" to make a password - those are still not more secure than the passphrases.

Yes, I could string together a bunch of specialcharacter words that I would remember, but my point is the same - there's no need for passwords that contain !#$%^&*()_}{., when we are perfectly capable of forming secure passwords with ordinary letters.

Furthermore, the backend scripting that helps a password strength indicator determine the strength of a password is not hard to configure so that it looks for length and word types vs just random letters or symbols, much as they do today. I understand that several people will probably revert to using simple recognized passwords with common phrases of things they love, etc, but it's pretty much the same case with symbol based passwords - they're going to pick a password that a computer can easily guess and one that they easily forget.

This needs to be resolved, especially with modern data trends proving the case.

More info:

http://community.spiceworks.com/topi...source=swemail

http://xkcd.com/936/

https://tech.dropbox.com/2012/04/zxc...th-estimation/

http://xato.net/passwords/analyzing-the-xkcd-comic/

[Geoff]

Okay... what you need to consider is that these passwords are designed so that there is a minimum requirement for everyone. Not just the people that know what a good password is.

There is also the fact that your 275 days for a pc calculation is grossly under-estimated. bruteforcing a cpanel is not the same as cracking a hash on your PC. I would challenge you to find someone with a PC that has an internet connection capable of matching a computer running 4 billion calculations a second. Same goes with cPanel. It would crash long before it responded to that many attempts per second i am sure.


Not to mention software like cphulkd should be installed/configured, which limits the number of attempts. To get around this hackers use proxy switching software, which also slows down the attempts drastically. first by the fact that most open proxies are not that quick, aside from the fact that means possibly routing across continents and back

So i would submit that even Ps$w0rd$ is sufficiently secure. Most hackers wont spend 2+ years trying to hack a server. not to mention i doubt they would find a sufficient number of proxies to rotate every 5 passwords if theres 95 quadrillion possibilities. (Still too much if they only attempted 1% of that)

Im not arguing the rest of your post. I hate those fucking minimum requirements for passwords. most of them i end up writing down into an encrypted text file. which is okay for me, but then you need to consider that most people wouldnt encrypt it, so they are open to malware that searches for account data and stuff. Id still rather be able to remember my own passwords though.

[ArielP]

Also, as Geoff said, this is a remote authentication attempt attack. Any kind of sustained attempts would be slowed down by the non-locality of the requests (speed of light * distance to our data center at the very minimum), the fact that there are brute-force protections in place, and the need to keep switching last-hop attack hosts as other attack hosts are blocked by the brute-force protections.

More times than not, the attackers had the password already.

A large amount of compromised mailbox credentials incidents we have seen lately (since we started performing analysis on the password of a compromised account) had their passwords very quickly cracked by us with the 'John the Ripper' program, using information about the email account itself (e.g. info-at-domain.com using the password 'info', 'domain', or 'domain.com') and rarely needed to go into the dictionary attack mode, let alone the brute-force attack mode.

Of course, the only reason we run JtR is curiosity, as any mailbox found to be compromised is immediately disabled until its operator reactivates it by changing its password within cPanel--if we wanted to use that mailbox, swapping out its password hash would be much faster/convenient.

Congratulations on being aware of some of the recent developments in password theory.
However, having minimum complexity/length limits enforced is a matter of bringing up the level of the low-hanging fruit.
If you want to use a pass-phrase-style password, the new limits should not stop you from doing so.

Using a pass-phrase could be more secure, it it's done right (otherwise, attackers can still technically brute-force, it's just that their alphabet is now comprised of entire words, not single characters).
For example, the pass-phrase "c0rrectH0r5eBatteryStaple" gets ranked as 66/100 and is acceptable under the new password requirements--although the fact that this is being posted on the Internet and is based on a very well known example pass-phrase should deter you from using it.

[Joe]

What is worse than a website having minimum password requirements is some having an absurdly low maximum password length. Some websites limit you to 8 or 10 characters which is really annoying. I've even seen some that only allow an 8 character password that is entirely numeric. Or some banks that store passwords case insensitive.

I'd much rather have a required minimum strength than limits on how secure my password can be. Nowadays, people have so many passwords that even if you use password phrases to allow you to remember your passwords, you are not going to remember all your passwords (unless you are using some sort of algorithm to modify your phrases or something). You will end up reusing the same password in multiple places which is a big no-no. I'd highly recommend you look into a password manager such as KeePass ( http://keepass.info/ ) that allows you to encrypt your passwords with a master password. It even allows autotyping username/passwords into the browser.

[MisterAMD]

Okay... what you need to consider is that these passwords are designed so that there is a minimum requirement for everyone. Not just the people that know what a good password is.

I know. I'm in this field as well for my "day job" - but if I don't bring it up, who will? and yes, I agree with all of the things you said regarding the PC power + internet speed matching and so forth - a lot of this is largely theoretical, as everyone here pretty much points out (and I am aware of it as well).

If you want to use a pass-phrase-style password, the new limits should not stop you from doing so.

This is precisely why I was upset enough to make this post.

It does not allow me to do this, the cpanel password calculator says that my password is 20 points below the minimum spec, and the only way to get it to go above the level required is to use special characters.

Pisses me off, and bypasses the entire reason for my passwords being what they are.

I don't need password managers - because I use passphrases for everything and they're all unique to the type of login. It works for me, unfortunately the website "calculators" work against me.

[Joe]

cPanel developers would be the best people to direct this to as they control the Password Strength algorithms.

I see that their has been some discussion on this at cPanel forums/cPanel feature request site. For example, see this thread:
http://forums.cpanel.net/f145/better...-a-237902.html

[FMD]

I didnt read all this...

But get this... anyone that is SOO interested in hacking my site, isnt going to find much of anything, as my private crap, is located FAR AWAY from my domains...

With that said, my domain email accts are for junk mail. and now you have made them much more difficult...

[DewKnight]

People aren't interested in hacking most accounts for any specific reason. They want to compromise as many as possible. The more they have, the more spam they can send, the more other sites they can compromise. Sometimes they just run a script to check the web for exploits and automatically try to compromise them.

You might consider using a password manager like lastpass. It is good to have complex, different passwords for every site. A password manager gives you one master password, and lets you easily track, generate, and autofill passwords.

[Twist3d]

Lastpass is amazing.. Great post dewknight