The password is the single most common security measure for digital systems – both online and off-line. The problem is that it is becoming increasingly less secure as hackers gain more and more powerful tools to simply brute force them. A great deal of attention has gone towards the creation of secure passwords, what constitutes them, and whether or not it is feasible to retain a bunch of random alphanumerical strings inside your head all the time. As an administrator of a WHM/cPanel server, you might want to enforce certain password policies for new or existing users.

In this article, we look at three different ways to firm up your password requirements by:

  1. Requiring a certain password strength;
  2. Specifying the age limit for a given password;
  3. Forcing users to change their passwords.

The configuration of these three settings will enable you to maintain at least a minimum barrier against people trying to break into your system by guessing passwords.

Setting the Password Strength

The definition of a “strong” password is the subject of much debate. Recently, an xkcd comic illustrated the dilemma of having passwords that are difficult to remember but paradoxically easier for computers to guess especially if the programmer is aware of certain techniques used to deliberately “tweak” the password such as using capital letters or substitutions in the word.

Nonetheless unless your user knows what they’re doing, it makes sense to enforce a certain password strength requirement. How exactly this is calculated isn’t something WHM makes public. Suffice to say that adding numerals, a mixture of uppercase and lowercase letters, and special characters all serve to dramatically increase the password strength. According to the WHM customer support, a website like this one shows you the various parameters going into calculating the strength of a password.

To set a minimum default password strength for various WHM services, log into the dashboard and click “Password Strength Configuration” from the left-hand side as shown below.

password strength combination

On this page, you see a slider allowing you to move it all the way up to 100. In the screenshot below, my current default password strength is 20. This value of 20 is automatically applied to all of the services below with “default” selected.

set password strength - defaults

Note that you can adjust the password strength requirements of any individual service that would override the default settings. This is how you enforce passwords of a certain strength in WHM.

Configuring Password Age

Another aspect of web security is requiring your users to change their passwords periodically. The efficacy of this kind of measure is a matter of much discussion, but WHM makes it easy to enforce such a policy. Select “Configure Security Policies” on the left-hand side of the WHM dashboard and check the “Password Age” box:

set password age

On doing this, a new line will appear below it allowing you to type in the number of days after which the user must change their password – in my case, it defaults to 30 days.

Forcing a Password Change

Finally after you’ve made these configuration changes, you may want to require one or many of your users to change their passwords immediately. Of course, you could always ask them to do so but sometimes security takes precedence over convenience and you would like to force the issue.

Or perhaps you suspect that the passwords of some of your clients have been compromised, in which case forcing them to change their password is a top priority. To do this, choose the “Force Password Change” menu item as shown here:

force password change

From the list of users presented, place a checkmark next to those whose password you want changed on the next login, and hit “Submit”.

These three measures should allow you to craft a comprehensive password policy for your WHM/cPanel installation.

tracking pixel

Is your website slow?

Enter its URL below to find out now:

About the Author

Bhagwad Park

Leave a Reply

Your email address will not be published. Required fields are marked *