Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
How is password strength determined for Plesk?
Answer
Passwords strength is a sum of the following criteria. All characters are verified against them, every match adds specific score and has specific weight.
Here are the rules applied for password validation in Plesk Onyx and Obsidian:
-
If a password is 4 or less symbols in length, it gains 3 points.
-
If the length is between 5 and 7, then it gains 6 points.
-
If the length is between 8 and 15, then it gains 12 points.
-
If the length is 16 or more, then it gains 18 points.
-
If password contains at least one lower case letter from '
a
' to 'z
', then it gives 1 point. -
If there is at least one upper case letter from
'A'
to'Z'
, then it brings 5 points. -
If there is at least one number, then it brings 5 points.
-
If there is at least three numbers, then it brings 5 points.
-
If there is at least one special character from this list (without quotes): "
!, @, #, $, %, ^, &, *, ?, _, ~
", then it brings 5 points. -
If there is at least two special characters from the list above, then it brings 5 points.
-
If there is both upper and lower case, then it brings 2 points.
-
If both letters and numbers, then it brings 2 points.
-
If there is combination of letters and numbers and special characters, then it will give 2 points.
Summary:
-
If the sum of points is less than 15, the password is Very Weak.
-
If the sum of points is between 15 and 24, then it is Weak password.
-
If the sum of points is between 25 and 34, then it is Medium password.
-
If the sum of points is between 35 and 44, then it is Strong password.
-
If the sum of points is more than 45, it is Very Strong.
Example:
The password P@ssw0rd
:
- Length between 8 and 15 (+12).
- At least one lower case letter (+1).
- At least one lower case letter uppercase (+5).
- At least one number (+5).
- At least one special character (+5).
- Have both upper and lower case (+2).
- Have both letters and numbers (+2).
- Have letters, numbers and special characters (+2).
Overall score is 34, which is less than 35. Verdict is Medium.
Comments
11 comments
Please consider implementing Dropbox's password strength library in future versions of plesk. https://github.com/dropbox/zxcvbn
Right now (Plesk Onyx Version 17.8.11) very secure passwords such as applaud-bisque-batch-forefoot won't even pass the "medium" filter, and very bad passwords such as Pa$$word123 are marked "Strong".
Brute force cracking continues to get more sophisticated and the current strength ratings are misleading.
Hello @Peter,
Thank you for sharing your idea. I have created a feature suggestion.
The top-rated features will be implemented in next Plesk updates.
Plesk REST API fails to create ftp user with some ftp_password e.g. b&3$0BRldB~1 with message: "Do not use quotes, space and national alphabet characters in a password. The password length should be from 5 to 14 characters in length, and it should not contain the username."
while there is no problem using the same password through dashboard.
Am I doing something wrong or is a bug?
Plesk Obsidian Web Host Edition
Version 18.0.27
Hello, EFTHIMIOS SIDERIS!
Can you please tell the OS version you have Plesk Installed?
Thank you
Hello,
OS is: CentOS Linux 8.1.1911
Hello again,
Nobody can answer?
Thank you
Hello,
Unfortunately there is nothing we can suggest based on the provided information. Please create a support request to troubleshoot the issue.
Could you please add the hyphen, period and comma - . , characters to the special characters scoring?
Currently they don't affect the scoring while they are valid and good for creating safe passwords that you can also remember. Some password generators, like the one in iOS/macOS Safari, only support hyphens. So even though it does generate safe passwords they never pass the medium Plesk policy.
I would like to make a further suggestion. The description of password strength for strong is a little misleading as someone who puts in all the characters required with the proper length can still be considered Medium strength until some extra characters are added. The description should be a little more accurate regarding that and I agree that the passwords with long and varied words should also pass for strong, but do not.
Thank you
Hello Xanthorr and Northland SysAdmin
Thank you for the suggestions, please, don't hesitate to share your ideas here: https://plesk.uservoice.com/forums/184549-feature-suggestions
Suggestions are monitored by RnD and popular are implemented.
I would suggest if you can add option to set length of password in password policy.
Difference between strong and very strong is big and length of 12 would be optimal.
Password complexity should stay but it would be better if we can control the length.
Please sign in to leave a comment.