Question
What was changed in the Plesk Password Strength Policy since 2022?
Answer
The new validation feature is enabled by default starting from July 5th, 2022 (Obsidian 18.0.45 release)
Warning: If the automatic 3rd-party scripts manage Plesk with CLI or API, it is needed to check that the new validator accepts the passwords generated by them. Otherwise, domains/subscriptions would not be created due to the password strength validation failure.
The new validation feature was delivered in the disabled state in Plesk Obsidian 18.0.43 (April 12th). In order to test it before it is implemented it could be enabled by specifying the following panel.ini option:
[passwordManagement]estimator = zxcvbn
For customers, who use automatic scripts for subscriptions/customers creation the new API 1038 error code was added. This error code will be returned to a 3rd-party system if a used password was not accepted by Plesk so it will be possible to reinitiate the password generation process.
It means that customers with a such scenario can update their scripts to reinitiate a password generation and validation process if the previous password was not accepted.
Plesk Password Strength Policy
|
Very Weak |
No protection |
"Too guessable" |
|
Weak |
Modest protection from throttled online attacks |
"Very guessable" |
|
Medium |
Modest protection from unthrottled online attacks |
"Somewhat guessable" |
|
Strong |
Modest protection from offline attacks assuming a slow hash function (like bcrypt, scrypt, PBKDF2, argon) |
"Safely unguessable" |
|
Very Strong |
Strong protection from offline attacks assuming a slow hash function (like bcrypt, scrypt, PBKDF2, argon) |
"Very unguessable" |
Time to crack
- Plesk uses a 3rd-party open-source solution to identify the password strength. The solution could be checked at:
https://zxcvbn-ts.github.io/zxcvbn/demo/ - The used default password strength level can be checked at:
https://github.com/zxcvbn-ts/zxcvbn/blob/49708e2a5cce6ae58958256d56e3918412ead865/packages/libraries/main/src/TimeEstimates.ts#L65-L86
|
Entropy |
Number of passwords |
Time to crack |
|||
|---|---|---|---|---|---|
|
online, throttled(100 / hour) |
online, unthrottled(10 / second) |
offline, slow hash(10k / second) |
offline, fast hash(10B / second) |
||
|
8.0 bits |
2.56e+02 |
12.8 hours |
12.8 seconds |
0.0 seconds |
0.0 seconds |
|
10.0 bits |
1.02e+03 |
2.1 days |
51.2 seconds |
0.1 seconds |
0.0 seconds |
|
12.0 bits |
4.10e+03 |
8.5 days |
3.4 minutes |
0.2 seconds |
0.0 seconds |
|
14.0 bits |
1.64e+04 |
34.1 days |
13.7 minutes |
0.8 seconds |
0.0 seconds |
|
16.0 bits |
6.55e+04 |
136.5 days |
54.6 minutes |
3.3 seconds |
0.0 seconds |
|
18.0 bits |
2.62e+05 |
1.50e+00 years |
3.6 hours |
13.1 seconds |
0.0 seconds |
|
20.0 bits |
1.05e+06 |
5.98e+00 years |
14.6 hours |
52.4 seconds |
0.0 seconds |
|
22.0 bits |
4.19e+06 |
2.39e+01 years |
2.4 days |
3.5 minutes |
0.0 seconds |
|
24.0 bits |
1.68e+07 |
9.57e+01 years |
9.7 days |
14.0 minutes |
0.0 seconds |
|
26.0 bits |
6.71e+07 |
3.83e+02 years |
38.8 days |
55.9 minutes |
0.0 seconds |
|
28.0 bits |
2.68e+08 |
1.53e+03 years |
155.3 days |
3.7 hours |
0.0 seconds |
|
30.0 bits |
1.07e+09 |
6.12e+03 years |
1.70e+00 years |
14.9 hours |
0.1 seconds |
|
32.0 bits |
4.29e+09 |
2.45e+04 years |
6.80e+00 years |
2.5 days |
0.2 seconds |
|
34.0 bits |
1.72e+10 |
9.80e+04 years |
2.72e+01 years |
9.9 days |
0.9 seconds |
|
36.0 bits |
6.87e+10 |
3.92e+05 years |
1.09e+02 years |
39.8 days |
3.4 seconds |
|
38.0 bits |
2.75e+11 |
1.57e+06 years |
4.36e+02 years |
159.1 days |
13.7 seconds |
|
40.0 bits |
1.10e+12 |
6.27e+06 years |
1.74e+03 years |
1.74e+00 years |
55.0 seconds |
|
42.0 bits |
4.40e+12 |
2.51e+07 years |
6.97e+03 years |
6.97e+00 years |
3.7 minutes |
|
44.0 bits |
1.76e+13 |
1.00e+08 years |
2.79e+04 years |
2.79e+01 years |
14.7 minutes |
|
46.0 bits |
7.04e+13 |
4.01e+08 years |
1.11e+05 years |
1.11e+02 years… |
|