• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue "Very Strong" password policy is unnecessarily prohibitive

websavers

Regular Pleskian
We've been trying to ensure that all of our servers are configured with the "Very Strong" password requirement policy. We most definitely want to ensure a high level of security and we're fine with telling clients "too bad" when their passwords are 6 chars (for example).

However we keep finding scenarios where it's being overly restrictive when the passwords should be considered strong enough. This is creating some friction with our clients because we're trying to tell them that we're enforcing strong passwords in a user-friendly manner, when this is actually not always the case.

Scenario 1: Mixed char passwords considered strong elsewhere are not in Plesk

Here is a sample password that, according to many online password checkers is so secure ...

wHrAoztGSpZI)gQN

Password checkers I tested it with:
https://howsecureismypassword.net/ -- says it would take 131 BILLION YEARS for a single computer to crack.
http://www.passwordmeter.com/ -- says "Very Strong"
http://rumkin.com/tools/password/passchk.php -- says "This password is typically good enough to safely guard sensitive information like financial records."

Yet Plesk thinks it's weak.

Scenario 2: Exceptionally long passphrases are not secure enough

Example: There is a lemon in the monkey's mouth

This would apparently take 18 SEXDECILLION YEARS to crack. Yet Plesk says it's only Medium strength.

---

It seems pretty clear to me that Plesk is using an old password strength algorithm reminiscent of Windows NT password requirements of last decade where the strength is entirely defined by the use of symbols, numbers, and mixed case letters.

Instead, this "very strong" password requirement should be smarter and use a similar algorithm as described at the rumkin.com tool above. When the password is beyond a certain number of chars, it should be safe to accept less symbols. When a passphrase is used, it shouldn't require symbols or numbers at all (assuming it's long enough).

Alternatively, perhaps the "Strong" password requirements could be strengthened so we can rely upon that level instead.

-Jordan
 
It's even worse.

Plesk considers this to be medium strength: dqDx2+PEYxTmjqi (generated by openssl rand 30 -base64)
And this to be strong, even though it is only 7 characters long: 123$%&A ($%& are Shift-456 on a German keyboard)

I think the algorithm is broken and useless.

mfG mow
 
Guys, yes, we must admit that this system does not work perfectly. The problem is known to our security team and they are working to improve it. Thank you for the scenarios described, they will help us in further research.
 
JFYI, we have internal report PFSI-61699 regarding this issue.
 
Back
Top