require randomized passwords

[Driesp]

Hi all

A couple of years ago, I have made a feature request suggestion on feedback.directadmin.com.
Many hosting providers only allow users to receive a at random generated password when changing or configuring e-mail accounts, ftp accounts, databases,...
This prevents users from choosing a too easy password or a password they already use elsewhere.
By only allowing a randomly generated password, they are unique and strong.
This will greatly improve the security of the server/network.

E-mail accounts are configured fixed into a device, databases are configured into a configuration file, ftp password can be remembered in the ftp client.
DirectAdmin passwords can be remembered in the webbrowser or in a password database.

Today, it is still impossible to use 2factor authentication on e-mail accounts or ftp accounts (or databases).
This is an extra reason why we should prevent users from setting their own passwords.

I would suggest an extra configuration option like this:
require_randomized_passwords=yes

Please give your +1 here:

Upvoty

feedback.directadmin.com

Kind regards
Dries

 

[Driesp]

Hi all

I want to bump up this topic.

I hope this feature can be implemented in DirectAdmin. It will greatly improve the security of the servers and network.

Kind regards
Dries

 

[Driesp]

Hello all

I would like to bump this thread up again, (sorry,.....)

Europe is implementing NIS2, and companies are required to do 2FA or update their security or they are not compliant Europe regulations!!!
(if I understood correctly?)

Unfortunately, we cannot do 2FA (or modern authentications mechanisms like passkeys) on SMTP, POP3 or IMAP, FTP.
It is also not possible to narrow authentication down to specific IP ranges as far as I know.

With this in mind, I would like to ask to implement a more secure way of configuring passwords on DirectAdmin.
I am looking for a security option so clients are only allowed to use (predefined) randomized passwords while changing (or configuring) a password.

Please give a +1 here so this security feature can be implemented soon:

Upvoty

feedback.directadmin.com

Thank you in advance!!!!!!
Best regards
Dries

 

[Richard G]

and companies are required to do 2FA or update their security or they are not compliant Europe regulations!!!

Can you point a link to this so we can have a look? I doubt that the EU can oblige us all to implement 2FA or something. I would like to have a read myself to see if you indeed understood it correctly and we are missing important information.

 

[Driesp]

As far as I know, it is Belgium who wants NIS2 to be active next year.
NIS2 is a regulation on European level, so Netherlands will follow I suppose.

They are always talking about MFA as a important security measure.
More info here: https://atwork.safeonweb.be/news/be...y-implement-new-european-rules-cyber-security

Their presentation: https://atwork.safeonweb.be/sites/default/files/2024-12/NIS2 in BE _Video_20240913_0.pdf
Slide 15, point 10: "Security measures to be implemented"

 

[Richard G]

Thank you for the links!

I had a quick look. Belgium is further than the Netherlands with this. NL is behind on planning and for a lot of things it's for hosting company's not clear what exactly is being changed and how.
Better checks on domain names and verification as far as I can see.

But there is no rule which requires randomized passwords. Users are responsible for that anyway because they can change them later on, so I would say with activating a difficult password enforcement, we should be good. Also there is no 2FA obligation yet, which isn't even possible with e-mail at the moment. Maybe with webmail with adjustments.

Belgium has them already implemented in their law. I had a check at the competition here (click) which explained it nicely for the Netherlands. So for us at this moment, it's totally not clear what they will expect from us.
Ofcourse basic things as reporting issues/hacks when customer info is stolen and SIDN is looking at a better security policy, but nothing is clear yet as some of the ideas to check ownership will also go into the privacy law also. So that needs legislation which is still not ready yet in NL.

So it's not really clear to me in how far this will affect our business as small hosting providers, as the Dutch legislation is now known yet. But the link I posted gives a small insight in the Dutch language to what we can expect at the moment.

 

[Driesp]

Hi all

Can anyone at DirectAdmin look into implementing this feature please?
I would like to enforce my clients to use a randomized password at all times for all accounts.

I just had a client who's e-mail password was guessed, he was using two words with a capital letter and a number.
I would like to prevent my clients from setting too simple passwords, I would like to secure our network better.

Thank you in advance.
Kind regards
Dries

 

[zEitEr]

Hello,

Will it help if you set a minimal length to 16-18?

da config-set enforce_difficult_passwords 1
da config-set difficult_password_length_min 16 --restart

Of course it won't protect against setting a password to TestPassword2025.

I checked for a possible DA hook, and nothing found. So there is no way to customize this part in drectadmin. If there was a hook script one could use cracklib for testing passwords. But it might work not as good as one wanted:

# echo "Password2025" | cracklib-check
Password2025: it is based on a dictionary word

while

# echo "TestPassword2025" | cracklib-check
TestPassword2025: OK

DA developers might need to add more checks here.

I would like to prevent my clients from setting too simple passwords, I would like to secure our network better.

 

[fln]

We tried moving towards autogenerated passwords for databases. But we immediately got requests to allow using manual password .

Completely eliminating the ability to manually set password is not a good approach either. There are situations where users want to use specific passwords. One example could be legacy systems. Legacy systems might not work with too long passwords, or might not accept some symbols for passwords. Another example is system migration, user might want to use specific old password to avoid having to reconfigure old clients.

I think the best way forward here is to update the UI to always prefer autogenerated passwords. But still allow password to be changed when needed.

Setting minimum password length to 20 symbols is a good way of forcing users into using autogenerated passwords.

 

[Richard G]

Setting minimum password length to 20 symbols is a good way of forcing users into using autogenerated passwords.

Not for manual passwords hopefully, we need shorter ones an don't need long especially not for databases. They already contain the accountname too which makes them longer also.
For minimal password length they can use the da_config_set command.

 

[DrWizzle]

Best form of security is Education. Tell your customers about the pitfalls of passwords like "My dads name - Year" or "My street name - My first cat" etc.. I use a password generator (below, others are available) and use a different password for everything. Write them down and don't use insecure password storage.

Consider who you store passwords with also, LastPass have recently been fined £1.2M By the ICO in UK for data breaches.

Password manager provider fined £1.2m by ICO for data breach affecting up to 1.6 million people in the UK

The Information Commissioner’s Office (ICO) has fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of up to 1.6 million of its UK users.

ico.org.uk

I know it's a lot for someone who's not tech savvy, but education is the key here, not how strong your password is, as that's only 1 part of the equation.

Random Password Generator | Create Strong Passwords

Generate secure passwords for your online accounts with our free random password generator. Create strong passwords, free!

www.avast.com