The Plesk default password strength policy under Tools & Setting > Security Policy will be changed to Strong starting from Plesk Obsidian 18.0.25.
This policy requires passwords to be at least 8 characters long and to have at least one occurrence of upper and lower-case characters, digits, and special characters, for example: P@ssw0rd12.
Note: Uppercase/lowercase chars along with special digits requirement is only applied to short passwords(less than 14 digits). Meanwhile, the long ones(with the exception for long passwords where the same letters/digits repeat, for example "thisssisssssssss") are considered Very strong by default, even if they do not contain upper-case, digit or special symbol.
Why are we doing this?
Before the Plesk Obsidian release, the default password strength policy was set to "Very Weak".
Such passwords in Plesk satisfy only the minimum required strength and could be brute-forced in 0-7 minutes. Change in password strength policy provides strong protection from brute-force attacks.
For what Plesk servers password strength policy will be changed
Plesk default password strength policy will be changed:
- For all new Plesk Obsidian installations the "Strong" password strength policy will be applied by default.
- For Plesk servers updated to Plesk Obsidian:
- If the password strength policy is "Very weak", the default value will be set to "Strong" during the next two months.
Plesk will use the smooth rollout mechanism to change the policy.
Note: existing passwords for users will not be changed.
- If the password strength policy differs from "Very weak" then the used policy will be kept intact till March 2020.
We want everyone to have the same level of security, so after strengthening passwords for new Plesk installations, we’ll roll out the
same for existing Plesk Obsidian installations starting from March 2020.
For Plesk Onyx and below password strength policy will not be changed.
Changing the default password strength policy can have an impact on automatic initialization scripts that are used during Plesk installation. If you use automatic scripts with CLI or API calls to install Plesk, adjust the password generator to meet the new policy requirements.