This announcement is to remind all clients of the security requirements when setting passwords on accounts.
THE PROBLEM When creating accounts in cPanel - choosing the cPanel password, email account passwords and other things that require passwords, it is essential that a secure password is used. This will decrease the risk of third parties guessing the password or 'cracking' it using an automated program to try different combinations. We put a lot of time into keeping our servers secure for the benefit of everyone but something like this is in the direct control of clients and we ask for everyone's help in making sure this aspect of security is given attention.
The reason that it is important for passwords to be secure is the same reason for making sure your house front door is shut and locked before leaving for work in the morning: a direct login to a cPanel or email account can be dangerous in the wrong hands, especially when those hands are intent on causing harm. During the past few months we have dealt with several cases of guessed/cracked passwords resulting in mass spam, warez dumps, hacking attempts, etc which reflects very badly on the account owner as it often results in account suspension while we check through everything. Due to the increased number of these we are seeing (and therefore having to clean up) we'll be taking some action to prevent it from happening as detailed below.
THE SOLUTION When creating passwords, please take the following into consideration:
* DO NOT use a dictionary word
* DO NOT use family, friend or common names
* DO NOT use sequential letters or numbers (eg abc, 123)
* DO NOT use the same password for multiple logins
* DO use random strings of letters and numbers
* DO use different passwords for different logins
* DO include upper and lower case letters at random
Need help creating a random password? See:
http://www.pctools.com/guides/password/ PREVENTATIVE MEASURES In order to try and prevent further problems with spam and other nasty stuff as a direct result of the account password being extremely weak, we will be putting to work some scripts to notify us of high risk accounts.
All servers will be installed with password 'cracking' software which will be used to run a very low level (ie weak) check on all user passwords. If this software is able to guess/match any passwords we will contact the user to request that the account password is changed.
It should be noted that our checking procedure will be very low level and only match user passwords that are extremely insecure and therefore easy to crack. The wordlist we'll be using is not large by any means and contains common words, people and place names along with very common passwords - if someone was going to try and crack a password all these would be included.
Us making sure that all passwords are set beyond the most basic possible security should benefit all users and make our servers more secure (along with individual accounts being more secure). No-one enjoys having their account files wiped, spam sent from their account without their knowledge, servers being blacklisted, etc and this is what we are aiming to reduce.
If you have any questions regarding this announcment then please open a helpdesk support ticket as usual at: http://www.anthonykeenan.com/helpdesk
Thank You.
