Facebook
Twitter
websavers
Regular Pleskian
We've been trying to ensure that all of our servers are configured with the "Very Strong" password requirement policy. We most definitely want to ensure a high level of security and we're fine with telling clients "too bad" when their passwords are 6 chars (for example).
However we keep finding scenarios where it's being overly restrictive when the passwords should be considered strong enough. This is creating some friction with our clients because we're trying to tell them that we're enforcing strong passwords in a user-friendly manner, when this is actually not always the case.
Scenario 1: Mixed char passwords considered strong elsewhere are not in Plesk
Here is a sample password that, according to many online password checkers is so secure ...
wHrAoztGSpZI)gQN
Password checkers I tested it with:
https://howsecureismypassword.net/ -- says it would take 131 BILLION YEARS for a single computer to crack.
http://www.passwordmeter.com/ -- says "Very Strong"
http://rumkin.com/tools/password/passchk.php -- says "This password is typically good enough to safely guard sensitive information like financial records."
Yet Plesk thinks it's weak.
Scenario 2: Exceptionally long passphrases are not secure enough
Example: There is a lemon in the monkey's mouth
This would apparently take 18 SEXDECILLION YEARS to crack. Yet Plesk says it's only Medium strength.
---
It seems pretty clear to me that Plesk is using an old password strength algorithm reminiscent of Windows NT password requirements of last decade where the strength is entirely defined by the use of symbols, numbers, and mixed case letters.
Instead, this "very strong" password requirement should be smarter and use a similar algorithm as described at the rumkin.com tool above. When the password is beyond a certain number of chars, it should be safe to accept less symbols. When a passphrase is used, it shouldn't require symbols or numbers at all (assuming it's long enough).
Alternatively, perhaps the "Strong" password requirements could be strengthened so we can rely upon that level instead.
-Jordan
However we keep finding scenarios where it's being overly restrictive when the passwords should be considered strong enough. This is creating some friction with our clients because we're trying to tell them that we're enforcing strong passwords in a user-friendly manner, when this is actually not always the case.
Scenario 1: Mixed char passwords considered strong elsewhere are not in Plesk
Here is a sample password that, according to many online password checkers is so secure ...
wHrAoztGSpZI)gQN
Password checkers I tested it with:
https://howsecureismypassword.net/ -- says it would take 131 BILLION YEARS for a single computer to crack.
http://www.passwordmeter.com/ -- says "Very Strong"
http://rumkin.com/tools/password/passchk.php -- says "This password is typically good enough to safely guard sensitive information like financial records."
Yet Plesk thinks it's weak.
Scenario 2: Exceptionally long passphrases are not secure enough
Example: There is a lemon in the monkey's mouth
This would apparently take 18 SEXDECILLION YEARS to crack. Yet Plesk says it's only Medium strength.
---
It seems pretty clear to me that Plesk is using an old password strength algorithm reminiscent of Windows NT password requirements of last decade where the strength is entirely defined by the use of symbols, numbers, and mixed case letters.
Instead, this "very strong" password requirement should be smarter and use a similar algorithm as described at the rumkin.com tool above. When the password is beyond a certain number of chars, it should be safe to accept less symbols. When a passphrase is used, it shouldn't require symbols or numbers at all (assuming it's long enough).
Alternatively, perhaps the "Strong" password requirements could be strengthened so we can rely upon that level instead.
-Jordan
