require randomized passwords

[Driesp]

Hi all

A couple of years ago, I have made a feature request suggestion on feedback.directadmin.com.
Many hosting providers only allow users to receive a at random generated password when changing or configuring e-mail accounts, ftp accounts, databases,...
This prevents users from choosing a too easy password or a password they already use elsewhere.
By only allowing a randomly generated password, they are unique and strong.
This will greatly improve the security of the server/network.

E-mail accounts are configured fixed into a device, databases are configured into a configuration file, ftp password can be remembered in the ftp client.
DirectAdmin passwords can be remembered in the webbrowser or in a password database.

Today, it is still impossible to use 2factor authentication on e-mail accounts or ftp accounts (or databases).
This is an extra reason why we should prevent users from setting their own passwords.

I would suggest an extra configuration option like this:
require_randomized_passwords=yes

Please give your +1 here:

Upvoty

feedback.directadmin.com

Kind regards
Dries

 

[Driesp]

Hi all

I want to bump up this topic.

I hope this feature can be implemented in DirectAdmin. It will greatly improve the security of the servers and network.

Kind regards
Dries

 

[Driesp]

Hello all

I would like to bump this thread up again, (sorry,.....)

Europe is implementing NIS2, and companies are required to do 2FA or update their security or they are not compliant Europe regulations!!!
(if I understood correctly?)

Unfortunately, we cannot do 2FA (or modern authentications mechanisms like passkeys) on SMTP, POP3 or IMAP, FTP.
It is also not possible to narrow authentication down to specific IP ranges as far as I know.

With this in mind, I would like to ask to implement a more secure way of configuring passwords on DirectAdmin.
I am looking for a security option so clients are only allowed to use (predefined) randomized passwords while changing (or configuring) a password.

Please give a +1 here so this security feature can be implemented soon:

Upvoty

feedback.directadmin.com

Thank you in advance!!!!!!
Best regards
Dries

 

[Richard G]

and companies are required to do 2FA or update their security or they are not compliant Europe regulations!!!

Can you point a link to this so we can have a look? I doubt that the EU can oblige us all to implement 2FA or something. I would like to have a read myself to see if you indeed understood it correctly and we are missing important information.

 

[Driesp]

As far as I know, it is Belgium who wants NIS2 to be active next year.
NIS2 is a regulation on European level, so Netherlands will follow I suppose.

They are always talking about MFA as a important security measure.
More info here: https://atwork.safeonweb.be/news/be...y-implement-new-european-rules-cyber-security

Their presentation: https://atwork.safeonweb.be/sites/default/files/2024-12/NIS2 in BE _Video_20240913_0.pdf
Slide 15, point 10: "Security measures to be implemented"

 

[Richard G]

Thank you for the links!

I had a quick look. Belgium is further than the Netherlands with this. NL is behind on planning and for a lot of things it's for hosting company's not clear what exactly is being changed and how.
Better checks on domain names and verification as far as I can see.

But there is no rule which requires randomized passwords. Users are responsible for that anyway because they can change them later on, so I would say with activating a difficult password enforcement, we should be good. Also there is no 2FA obligation yet, which isn't even possible with e-mail at the moment. Maybe with webmail with adjustments.

Belgium has them already implemented in their law. I had a check at the competition here (click) which explained it nicely for the Netherlands. So for us at this moment, it's totally not clear what they will expect from us.
Ofcourse basic things as reporting issues/hacks when customer info is stolen and SIDN is looking at a better security policy, but nothing is clear yet as some of the ideas to check ownership will also go into the privacy law also. So that needs legislation which is still not ready yet in NL.

So it's not really clear to me in how far this will affect our business as small hosting providers, as the Dutch legislation is now known yet. But the link I posted gives a small insight in the Dutch language to what we can expect at the moment.