Applicable to:
- Plesk Obsidian for Linux
- Plesk Obsidian for Windows
General Information
The Plesk default password strength policy under Tools & Setting > Security Policy will be changed to Strong starting from Plesk Obsidian 18.0.25.
This policy requires passwords to be at least 8 characters long and to have at least one occurrence of upper and lower-case characters, digits, and special characters, for example: P@ssw0rd12.
Note: Uppercase/lowercase chars along with special digits requirement is only applied to short passwords(less than 14 digits). Meanwhile, the long ones(with the exception for long passwords where the same letters/digits repeat, for example "thisssisssssssss") are considered Very strong by default, even if they do not contain upper-case, digit or special symbol.
Why are we doing this?
Before the Plesk Obsidian release, the default password strength policy was set to "Very Weak".
Such passwords in Plesk satisfy only the minimum required strength and could be brute-forced in 0-7 minutes. Change in password strength policy provides strong protection from brute-force attacks.
For what Plesk servers password strength policy will be changed
Plesk default password strength policy will be changed:
- For all new Plesk Obsidian installations the "Strong" password strength policy will be applied by default.
- For Plesk servers updated to Plesk Obsidian:
- If the password strength policy is "Very weak", the default value will be set to "Strong" during the next two months.
Plesk will use the smooth rollout mechanism to change the policy.
Note: existing passwords for users will not be changed.
- If the password strength policy differs from "Very weak" then the used policy will be kept intact till March 2020.
We want everyone to have the same level of security, so after strengthening passwords for new Plesk installations, we’ll roll out the
same for existing Plesk Obsidian installations starting from March 2020.
For Plesk Onyx and below password strength policy will not be changed.
Possible effects
Changing the default password strength policy can have an impact on automatic initialization scripts that are used during Plesk installation. If you use automatic scripts with CLI or API calls to install Plesk, adjust the password generator to meet the new policy requirements.
Comments
3 comments
Hello,
This will create issues with WHMCS as discussed here.
https://support.plesk.com/hc/en-us/articles/360009266814-Password-generated-by-WHMCS-is-rejected-in-an-attempt-to-create-a-system-user-in-Plesk
Unfortunately some symbols that WHMCS uses are not used by Plesk.
Those symbols are (, ), ;, [, ], ., {, }, -
As a result, what can end up happening, and it happened often enough to be a problem, is that when the password strength in Plesk is set to Strong, and WHMCS generates a password that contains only symbols that Plesk does not recognize as special symbols, then Plesk does not recognize the password as being valid and rejects it. This causes the automatic user account creation from WHMCS to Plesk to fail.
What I would like to know is whether or not there have been any further "internal" discussions about addressing this issue?
Now that you are setting the default Password strength to "Strong" I think it's a good time to revisit this issue for better cross platform compatibility.
kind regards,
Dr. Koontz
Hello Michael Koontz
Thank you for sharing your experience.
I don't the information about such discussion existence but what I will do is to deliver your feedback to the team in charge for consideration.
Michael Koontz
According to the information I received in WHMCS 7.9 GA (January 8th), this behavior was adjusted in WHMCS and integration should work fine out of the box.
What WHMCS version do you use?
Please sign in to leave a comment.