Jump to content
alankru

cPanel password strength change

Recommended Posts

Hello,

I created a cPanel service the other week and let Blesta generate the password for the cPanel account - No issues.

However, when Blesta is now trying to create a cPanel service and it is generating the password, I am now receiving an error response from the cPanel server, stating that the password does not meet a strength of 90. I spoke to my server host about this and they have not altered the complexity requirement. They double checked and they have a password that the other week was a password of 90 strength, now the password is registering a strength of 75. We mutually concluded that cPanel must have changed the algorithm used to calculate passed strengths.

Some digging of the cPanel change log shows:

Quote

67.9999.118
2017-09-26
Fixed case CPANEL-14615: Alters the password strength algorith to use an entropy based approach.

It has obviously just taken a while for the release with this change in it to filter out.

My thread here serves a few purposes:

1. To make the Blesta team aware of this change and potential bug (I therefore felt that the bugs forum was the best place for this topic, although I was unsure)

2. See if anyone else is experiencing the same

3. To gain instruction on how exactly to increase the complexity of the passwords that Blesta generates.

On point 3, I have opened file components/modules/cpanel/cpanel.php and I find, which starts at line 1667 in v4:

    /**
     * Generates a password
     *
     * @param int $min_length The minimum character length for the password (5 or larger)
     * @param int $max_length The maximum character length for the password (14 or fewer)
     * @return string The generated password
     */
    private function generatePassword($min_length = 10, $max_length = 14)
    {
        $pool = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()';
        $pool_size = strlen($pool);
        $length = mt_rand(max($min_length, 5), min($max_length, 14));
        $password = '';

        for ($i=0; $i<$length; $i++) {
            $password .= substr($pool, mt_rand(0, $pool_size-1), 1);
        }

        return $password;
    }

I can see from previous examples of passwords that Blesta generates, that Blesta does not incorporate capital (uppercase) letters. I can now see this from the above code.

To increase the complexity of the passwords that Blesta generates, I feel that it is just a case of adding capital letters. To do this, please could someone tell me; is it just a case of adding in the capital letters into the $pool line?

Please could someone also tell me; which part of the code controls how long the password will be? (to increase its complexity)

 

Thank you very much.

Share this post


Link to post
Share on other sites

Thank you. What I'm confused about is that the max_length values are different and where it has "mt_rand(max($min_length, 5)" it has a min_length near a max word?

Therefore, I'm confused as to which values I alter.

Share this post


Link to post
Share on other sites
23 hours ago, alankru said:

However, when Blesta is now trying to create a cPanel service and it is generating the password, I am now receiving an error response from the cPanel server, stating that the password does not meet a strength of 90. I spoke to my server host about this and they have not altered the complexity requirement. They double checked and they have a password that the other week was a password of 90 strength, now the password is registering a strength of 75. We mutually concluded that cPanel must have changed the algorithm used to calculate passed strengths.

If your cPanel server requires a strength of "90" and the password the module creates is insufficient, you might consider decreasing that requirement on your cPanel server under Password Strength Configuration. I think 65 has been the default value. I'm not sure how that strength value is calculated, so it's difficult to say what changes to the password generator would actually result in a password that meets that minimum strength. If you can find documentation on that let us know.

Share this post


Link to post
Share on other sites

Thanks Tyson. Unfortunately, I cannot decrease the strength requirement as I do not control the server.

You see, with WHMCS, you can control the password complexity easily (according to the webhost). Therefore, there isn't a need for the webhost to lower the strength requirement. Additionally, as this isn't something that the webhost has purposefully increased, but is due to this change from cPanel, what would the webhost set it to...

I know that it will help by adding Uppercase characters. I would also like to (potentially) increase the length of the password.

Would you be able to tell me how to do that please?

The documentation for the password strength calculation is here:

https://documentation.cpanel.net/display/CKB/How+to+Determine+Password+Strength

The document has just been created on Oct 30th! (probably due to the recent update!)

Thank you.

Share this post


Link to post
Share on other sites

I haven't seen anything that indicates the new default is a strength of 90, but I would be curious to know if that is the case.

You can update the $pool you mentioned above to include uppercase characters, but that doesn't mean a password generated will definitely contain one. The best indicator of password strength should be the password length from a large enough character set. Considering that the password is generated from any character in the pool randomly with equal probability, I would recommend increasing the minimum character length to a suitable number to achieve the desired strength. Without knowing how the strength is derived though, you cannot guarantee a randomly generated password would achieve it. From the examples on the page you linked, it appears each character is given a strength from 6-10, but is subject to a positive or negative multiplier based on other factors.

Assuming a strength value of 6 per character in the generated password's random distribution, a 100-strength password could be acheived consistently at a minimum of 17 characters, so I would update the minimum password length to 17:

private function generatePassword($min_length = 17, $max_length = 20)

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×