| Important password security changes |
|---|
| Recently we have become aware of an increase in password breaches affecting email accounts, cPanel accounts, FTP accounts, and in one case a reseller account. Such breaches are obviously very serious in nature for the customer involved and represent a lot of time and effort for us to clean up after. Additionally, certainly in terms of email account password breaches where spam is sent, this affects the 'reputation' of the server (blacklisted), and therefore the email sending ability of the other customers on the server. Many of these password breaches appear to be as a result of weak (easy to guess) passwords, such as "password", "123456", "letmein", etc. Many email accounts such as sales@example.com have the password set to "sales", which is one of the first things the spammers will try. In order to combat this, we urgently need to enforce a 'minimum strength' for passwords. We will be making this change out of hours (7pm onwards) on all our shared and reseller servers tonight, 11th of June 2014. The change may involve a fairly quick restart of some services on the server. 99% of users will not notice this. Any new passwords will have to conform to the new minimum strength, including cPanel, FTP, email, MySQL accounts. Existing weak passwords will need to be changed if logging into a cPanel service (such as webmail, cPanel, WHM), but will remain unaltered if only logging in through a client program such as Outlook, Mac Mail, etc. Additionally this will also affect any script/program set up through Softaculous. We wanted to avoid the necessity for existing passwords to be changed, and only to enforce the minimum strength on new passwords, but unfortunately this appears to not be possible. We apologise for the short notice, but consider this to be an important security issue, and most customers will be unaffected by the changes, provided their passwords are strong enough. |
| Updated by Chris Yates on 11th Jun 2014 @ 16:04pm |