CPANEL/WHM password strength meter broken?

Discussion in 'Security' started by lsommerer, Jul 20, 2017.

  1. lsommerer

    lsommerer New Member

    I had a surprise today when I tried to change the root password on a new account. I typed in the password that I use for my KnownHost accounts, and the strength meter said "Very Weak (0/100)". It was a reasonable password, so I wondered what was causing it to register as very weak. What I discovered was that the password strength changed in what I consider unexpected ways as I typed the password.

    It looks to me like the algorithm is a little too sensitive to repeating characters. Take a look at the results of the strength meter for various lengths of the same password. Am I missing something here? These results don't make much sense to me:

    01 w
    08 wh
    11 whe
    14 wher
    17 where
    20 wheres
    21 wherese
    24 wheresev
    23 whereseve
    20 wheresever
    15 wheresevere
    38 wheresevere3
    50 wheresevere34
    48 wheresevere34h
    40 wheresevere34he
    30 wheresevere34her
    18 wheresevere34here
    22 wheresevere34heret
    16 wheresevere34hereto
    30 wheresevere34heretom
    16 wheresevere34heretomo
    00 wheresevere34heretomor
    00 wheresevere34heretomorr
    00 wheresevere34heretomorro
    00 wheresevere34heretomorrow

    This wasn't a problem. I just changed the password strength settings to zero and changed the password. But it confused me. Also, this is not the actual password, but it represents the same format with words that have a slightly higher degree of similarity.
  2. phpAddict

    phpAddict Active Member

    I believe it takes the password and calculates a percentage of character types, repetitiveness of the same words or character types, and usage of common words. Your example of wheresevere34heretomorrow is 92% lower case letters and only 8% digits, 0% uppercase, and 0% special chars. Throwing in 2 uppercase letters and 3 special characters in that example [email protected]#tomorrow makes the password strength indicator jump to 100%. Something as short as 6}a_4Z)% is 100% being a good mixture of all types and no repetitiveness. The strongest password in your example, wheresevere34, has the highest percentage of numbers to lowercase letters. Moving things around a little and adding uppercase letters in random spots, whEre3seVere4, is 96%. Just adding 1 special char at the end, whEre3seVere4!, is 100%. Notice in your example that wheresevere34 is 50%, but just adding 1 uppercase letter Wheresevere34, makes it 78%.

    I'm human (I think) same as you, so I like to have passwords that I can easily remember so I do some tricks to easily remember but completely remove common words out of any rainbow tables. For example, if I wanted to use "cheese doodles" as a password, well that's only 34%, but Ch33s3 Doodl3$ is 100%, all I need to remember is to uppercase each word, 3's for e's, $ for the S.
  3. KH-Jonathan

    KH-Jonathan Director of Managed Services Staff Member

    Password strength calculators will always have their flaws and odd situations to which they're very sensitive, and others to which they're not.

    Where do you come up with this stuff :p
  4. phpAddict

    phpAddict Active Member

    I was hungry, and thinking about cheese puffs. :(
    KH-ScottW and KH-JonathanKW like this.
  5. WBW

    WBW New Member

  6. phpAddict

    phpAddict Active Member

    That is interesting, says...
    Tr0ub4dor&3 - Cracked in 4 hundred years
    correcthorsebatterystaple - Cracked instantly

    Just comes down to the type of attack and what information is accessible/made available to the attacker. A straight brute-force attack, the longest password will always win. A dictionary attack, the more complex password will likely win.

    I would say it's more important to have the program protect itself against attacks. Limiting logon attempts in a program, say 5 attempts in an hour before locking the targeted account for 24 hours, or even better locking it until the user contacts support, this puts a halt to brute-force attacks. Requiring users to have complex passwords, as long as it's not a common one like 123QWEasd, stops dictionary attacks. Applying those two to any program, even with a password as simple as "J0sh!!" it's not going to be worth an attackers time and anyone managing the site is going to be able to quickly identify attackers. The attacker would have to do 4 attempts an hour to be able to attack that type of program rather than the 1000 Guess/sec in that comic strip.
  7. lsommerer

    lsommerer New Member

    I understand that there are multiple ways to make a password stronger. But there is no circumstance where the password "where" is more secure than the password "wheresevere34heretomo". I was just pointing out that the algorithm for determining password strength isn't very accurate in instances where the user increases password entropy by increasing the length of the password instead of increasing the character space. Just an oddity, that's all.
  8. lsommerer

    lsommerer New Member

    This is actually an interesting example too:

    correcthorsebatterystapl 7 QUADRILLION YEARS
    correcthorsebatterystaple INSTANTLY
    correcthorsebatterystaples 5 QUINTILLION YEARS
    wheresevere34heretomorrow 640 QUINTILLION YEARS

    So "correcthorsebatterystaple" is in one of the dictionaries that they are using. If you are interested in this sort of thing, Dropbox has a great writeup on password strength meters, And they have a little demo of the meter that they wrote that exposes the reasoning behind the scores (along with quite a few interesting examples of how various passwords score)
  9. phpAddict

    phpAddict Active Member

    That'd be because correcthorsebatterystapl isn't affected by a dictionary attack since stapl isn't a word whereas correcthorsebatterystaple is. As Jonathan said...
    Which applies in these cases. These tools are mostly just looking for complex passwords without common words in them.
  10. WBW

    WBW New Member

    I'm willing to bet that the strip caused some to actually use it (misundertstanding the intent) and those that crack to add it to the tables they use. Kind of like users that enter " your password" in forms that say "enter your password" to continue. ;)
  11. phpAddict

    phpAddict Active Member

    Dictionary attacks are more than just going through a list of words once. Attackers combine words together to create multiple word passwords. So they'll start with the word "a" go down through to "zyzzyva", then start again going 2 words deep using "aa" down to "azyzzyva", then onto "aardvarka", "aardvarkaardvark", eventually down to "zyzzyvazyzzyva", then 3 words deep "aaa", eventually to "aazyzzyva", etc.

    correcthorsebatterystaple being 4 words deep would certainly take longer than "instantly" to crack, but it's still vulnerable to a dictionary attack which is why it was flagged as a bad password.

    It's always a headache getting AD users to understand the importance of password policies. We run OphCrack and L0phtCrack using even a simple rainbow table to show users how quickly simple passwords can be cracked. Yes, July2017 might meet password complexity requirements, but it gets discovered in seconds. I'd certainly prefer and recommend "wheresevere34heretomo" over "where" as a password, but "wh3reseVere3he4retoMo" would be even better.

Share This Page