Issue Very strong password problem...

[MicheleP]

Server operating system version

Linux

Plesk version and microupdate number

18.0.55

Hi
I use very strong password policy.
So you probably can imagine how I was very surprised when I saw that an user has changed the password from the webmail, using as new password the domain!
So if I have for example a domain myverybeautifuldomain.com an user can set "myverybeautifuldomain" as password (with and without .com)
And it is not important that there are only lowercase chars, without uppercase chars or numbers or special chars ...
I've made some test and sometime plesk say that the password is not strong enough but many time it accept the domain as password (based on the specific domain).
I dont understand why it check if the password contains the username but not check if it contains the domain
Battling every day with upper, lower, number, special characters and then this crazy thing ...
If this is not a bug, it is surely a irresponsible method, as an user, in his naivety... , can create himself a BIG security breach
So PLEASE plesk people, would you be so KIND to set a control on the domain name (with and without extension) in the password!?
And possibly force to request at least ONE upper char in the password? and non only the simple lenght of 12/13 chars?
Thanks!

 

[Kaspar]

Plesk validates the password strength based on the zxcvbn-ts algorithm. Which is considered to be a pretty good password strength checker. More information about the usage in Plesk can be found here.

That being said, it is uncomfortable (to say the least) to know that passwords that match a (long) domain name can be used. That doesn't feel quite right. Could you submit a bug report about this issue so developer can have a look at it (or submit a ticket to support)?

 

[MicheleP]

Hi
it is not a long domain, it's a simple 13 chars domain.
Sorry, cannot open bug report, have to go. But the problem is there for all to see.
And I think that some plesk people have read this post.