Articles in this section

Plesk Obsidian Default Password Strength Policy changes starting from February 18th, 2020

Renan Poss Moreira
Updated
DoNotDelete:docref kb: technical Plesk Obsidian for Linux Plesk Obsidian for Windows ABT: Group A

Applicable to:

  • Plesk Obsidian for Linux
  • Plesk Obsidian for Windows

General Information

The Plesk default password strength policy under Tools & Setting > Security Policy  will be changed to Strong starting from Plesk Obsidian 18.0.25.
This policy requires passwords to be at least 8 characters long and to have at least one occurrence of upper and lower-case characters, digits, and special characters, for example: P@ssw0rd12. 

Note: Uppercase/lowercase chars along with special digits requirement is only applied to short passwords(less than 14 digits). Meanwhile, the long ones(with the exception for long passwords where the same letters/digits repeat, for example "thisssisssssssss") are considered Very strong by default, even if they do not contain upper-case, digit or special symbol.

Why are we doing this?

Before the Plesk Obsidian release, the default password strength policy was set to "Very Weak".
Such passwords in Plesk satisfy only the minimum required strength and could be brute-forced in 0-7 minutes. Change in password strength policy provides strong protection from brute-force attacks.

For what Plesk servers password strength policy will be changed

Plesk default password strength policy will be changed:

    • For all new Plesk Obsidian installations the "Strong" password strength policy will be applied by default.
    • For Plesk servers updated to Plesk Obsidian:
      • If the password strength policy is "Very weak", the default value will be set to "Strong" during the next two months.
        Plesk will use the smooth rollout mechanism to change the policy.

        Note: existing passwords for users will not be changed.

      • If the password strength policy differs from "Very weak" then the used policy will be kept intact till March 2020
        We want everyone to have the same level of security, so after strengthening passwords for new Plesk installations, we’ll roll out the
        same for existing Plesk Obsidian installations starting from March 2020.

For Plesk Onyx and below password strength policy will not be changed.

Possible effects

Changing the default password strength policy can have an impact on automatic initialization scripts that are used during Plesk installation. If you use automatic scripts with CLI or API calls to install Plesk, adjust the password generator to meet the new policy requirements.

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.