1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Weak passwords on mail accounts

Discussion in 'Plesk for Linux - 8.x and Older' started by Ragefast, Sep 4, 2008.

  1. Ragefast

    Ragefast Guest

    Hello people,

    Recently I've been target of spammers which upon further investigation, were using authenticated mail accounts to send mail thru my server, where all these exploited accounts had weak passwords like '123456'.

    Although I force my clients with the good-password policy, they are able to change their password from Horde, which doesn't seem to make any checks on the password typed in. I can change their passwords to a safe one, but I feel that it is not right to just change it, because if the user doesn't notice the vulnerability, he will still try to change back to the weak one, which is easy to remember, for example.

    Is there a way to block users from being able to change their password to weak ones from the Horde interface? Or even Plesk interface? Because Plesk, even with the dictionary checking turned one, still allows passwords like 123456.

  2. lblondel

    lblondel Guest

    I've got the same problem with a user who set his password to toto1.

    See my post : http://forum.swsoft.com/showthread.php?t=54006

    Can we fill Plesk Dictionnary with weak passwords ? So if a user want to use a weak password, plesk discard it !
  3. Ragefast

    Ragefast Guest

    Thanks for the reply, but the problem isn't really Plesk, but Horde. From some testing I did, even if Plesk refuses the password, you can still set it from Horde interface.

    What I'd like to know if we can somehow force Horde to check these passwords too, so the user can't set them.