DirectAdmin Minimum Password Length

[John Vaudrey]

Hi

I am tying to change a direct admin password via the module and keep getting

Make sure the password contains the following: At least 12 characters, at least 1 upper-case character A-Z, at least 1 lower-case character a-z, at least 1 number 0-9, and at least 1 special character from the set: !"#$%&'()*+,-./:;<=>?@[]^_` {|};

Make sure the password contains the following: At least 12 characters, at least 1 upper-case character A-Z, at least 1 lower-case character a-z, at least 1 number 0-9, and at least 1 special character from the set: !"#$%&'()*+,-./:;<=>?@[]^_` {|}

The password i need to use is 10 characters and includes upper/lower characters and the @ symbol.

Could you tell me how I can reduce the minimum character length / force the password to be saved in Blesta.

DirectAdmin has accepted the password find when I tried to change it via the admin pages.

Thank you

[Paul]

On 6/1/2022 at 4:13 AM, Kal said:

I have edited this file as described, removing unwanted requirements and reducing the minimum password length to 9, but as soon as I try to add a service I still get the same message:

Help!

(BTW, for anyone who still believes that character-composition requirements are a good idea, you might want to read the advice of security experts like Troy Hunt, NIST and Microsoft who all advise against this practice. See: Passwords Evolved: Authentication Guidance for the Modern Era. A poor decision for Blesta to turn this on by default IMO.)

When Blesta is not the authority on the password requirement, we go with the strictest possible requirement defined by the control panel. If the panel has a setting to force passwords of 12 characters, upper-case, lower-case, and a special character, then we require that so that there is not a failure to deploy a new account or update a password within the panel.

We are actually against such requirements that make it difficult for the user to remember the password while making it easy for a computer to guess. This sums up our thoughts on passwords: https://xkcd.com/936/

Regarding the issue, are you certain that you have modified the correct file? You don't have another copy of Blesta in another directory? You are using the DirectAdmin module and not another? The password you provided meets the password requirements for your DA server? The text of the error message will not change based on you changing the requirements, so if the password doesn't meet the requirements you set, you'll get the same error unless you modify that in:

/components/modules/direct_admin/language/en_us/direct_admin.php:$lang['DirectAdmin.!error.direct_admin_password.format']

 

 

[Kal]

Hi Paul, and thanks for offering to help.

8 hours ago, Paul said:

Regarding the issue, are you certain that you have modified the correct file? You don't have another copy of Blesta in another directory? You are using the DirectAdmin module and not another?

Yes, no and yes. I edited the error message under the same directory, as you described, and I can confirm that the error message has now changed—so it's certainly the correct (and only) copy of Blesta on the server.

8 hours ago, Paul said:

The password you provided meets the password requirements for your DA server?

Yes, it exceeds the requirements. I was testing the 'Add Service' command on an existing account, and the password is the one that is already used by that account. I unticked 'Provision using the DirectAdmin module when activated'. Am I doing something wrong perhaps? The accounts are already set up in DirectAdmin—I just want to link them to Blesta so I can start using it for billing. I also tried creating a new account by specifying a new username and domain, but I just get the same error again, even if I use Blesta's 'Generated Password' feature.

So despite the error, I suspect the problem is not with the password requirements. What else could cause this error to get triggered?

8 hours ago, Paul said:

When Blesta is not the authority on the password requirement, we go with the strictest possible requirement defined by the control panel. If the panel has a setting to force passwords of 12 characters, upper-case, lower-case, and a special character, then we require that so that there is not a failure to deploy a new account or update a password within the panel.

Last time I checked, DirectAdmin's `enforce_difficult_passwords` option is turned off by default, and if you turn it on, the default minimum password requirements are 6 characters including an upper-case letter, lower-case letter and number. See: Difficult password enforcement option. When you say that you 'go with the strictest possible requirement', how can you know how a user has configured this in DirectAdmin? Password checking is performed by a script, and there is no limit to how the server admin could configure this.

[Kal]

Something just occurred to me… I have two-factor authentication turned on in DA (as every security-minded admin should). Is this incompatible with the module?

[Paul]

19 hours ago, Kal said:

Something just occurred to me… I have two-factor authentication turned on in DA (as every security-minded admin should). Is this incompatible with the module?

I'm not familiar with DA's 2FA and nobody else has mentioned it, but if you are forcing 2FA then that may be the problem. I would suggest temporarily disabling it to check if it works.

Edit: Obviously if API commands require 2FA they ill never be able to be automated.

[Kal]

7 hours ago, Paul said:

I'm not familiar with DA's 2FA and nobody else has mentioned it, but if you are forcing 2FA then that may be the problem. I would suggest temporarily disabling it to check if it works.

Okay, so DA has the option 'Allow API logins with the current User/password', which is ticked. Just to be sure, I temporarily turned off 2FA, but the problem persists.

Any other ideas?

[Kal]

@Paul, I've done some more tests and worked out that the problem is with the `DirectAdmin.password_length` setting. Regardless of what I set this to, the error appears if I enter a password of less than 12 characters. The `DirectAdmin.password_requirements` setting works as expected.

For example:

Configure::set('DirectAdmin.password_requirements', [
    ["A-Z"],
    ["a-z"]
]);
Configure::set('DirectAdmin.password_length', 9);

With these settings, a password of 'Abcdefghijkl' (12 characters) passes, but a password of 'Abcdefghijk' (11 characters) fails.

Is this a bug, or have I missed something?

[Paul]

On 6/3/2022 at 10:21 PM, Kal said:

@Paul, I've done some more tests and worked out that the problem is with the `DirectAdmin.password_length` setting. Regardless of what I set this to, the error appears if I enter a password of less than 12 characters. The `DirectAdmin.password_requirements` setting works as expected.

For example:

Configure::set('DirectAdmin.password_requirements', [
    ["A-Z"],
    ["a-z"]
]);
Configure::set('DirectAdmin.password_length', 9);

With these settings, a password of 'Abcdefghijkl' (12 characters) passes, but a password of 'Abcdefghijk' (11 characters) fails.

Is this a bug, or have I missed something?

That is unusual. I was able to reproduce this and have created the following task:

https://dev.blesta.com/browse/CORE-4667

[Kal]

8 hours ago, Paul said:

That is unusual. I was able to reproduce this and have created the following task:

https://dev.blesta.com/browse/CORE-4667

Thanks for testing and confirming the bug. Any ETA on when it might be fixed? Any chance it will be a simple change I can replicate, or will I need to renew my paid support?

[Riddle]

I know this is kinda old topic, but same issue here. Changed the file to alter the 2, but keeps denying my password setup in adding service for a client...

[Paul]

On 1/11/2021 at 4:42 PM, John Vaudrey said:

Hi

I am tying to change a direct admin password via the module and keep getting

Make sure the password contains the following: At least 12 characters, at least 1 upper-case character A-Z, at least 1 lower-case character a-z, at least 1 number 0-9, and at least 1 special character from the set: !"#$%&'()*+,-./:;<=>?@[]^_` {|};

Make sure the password contains the following: At least 12 characters, at least 1 upper-case character A-Z, at least 1 lower-case character a-z, at least 1 number 0-9, and at least 1 special character from the set: !"#$%&'()*+,-./:;<=>?@[]^_` {|}

The password i need to use is 10 characters and includes upper/lower characters and the @ symbol.

Could you tell me how I can reduce the minimum character length / force the password to be saved in Blesta.

DirectAdmin has accepted the password find when I tried to change it via the admin pages.

Thank you

Open this file to change the requirements:
/components/modules/direct_admin/config/direct_admin.php

Configure::set('DirectAdmin.password_requirements', [
    ["A-Z"],
    ["a-z"],
    ["0-9"],
    ["!", "\"", "#", "$", "%", "&", "'", "(", ")", "*", "+", ",", "-", ".", "/", ":", ";", "<", "=", ">", "?", "@", "[", "]", "^", "_", "`", "{", "|", "}"]
]);
Configure::set('DirectAdmin.password_length', 12);

As an example, you can change the length requirement to 10, and eliminate the need for a special character by changing it to:

Configure::set('DirectAdmin.password_requirements', [
    ["A-Z"],
    ["a-z"],
    ["0-9"]
]);
Configure::set('DirectAdmin.password_length', 10);

This would require capital letter, lowercase letter, and a number, that's 10 characters long. Adjust as necessary.

[Kal]

On 1/19/2021 at 6:43 AM, Paul said:

Open this file to change the requirements:
/components/modules/direct_admin/config/direct_admin.php

I have edited this file as described, removing unwanted requirements and reducing the minimum password length to 9, but as soon as I try to add a service I still get the same message:

Help!

(BTW, for anyone who still believes that character-composition requirements are a good idea, you might want to read the advice of security experts like Troy Hunt, NIST and Microsoft who all advise against this practice. See: Passwords Evolved: Authentication Guidance for the Modern Era. A poor decision for Blesta to turn this on by default IMO.)