As my previous post about enhancing password policy in ClearOS i mentioned about create simple PHP script for detecting user which using weak password. so i’d like to share it.
Our customer using ClearOS 6 (professional edition) to store user password and almost all applications using it as external authentication so user only has to remember one password and Zimbra is one of the application.
Recently the public IP that used as mail outgoing traffic being listed in RBL and by our check in server we found there are some user account has been hijacked so it’s sending spam email to outside domain (gmail.com, outlook.com, etc) then i set suspected status to close in zimbra also reset it’s password randomly but it’s happen quite frequently.
Then i created simple php script using clearOS API to scan weak password (based on list), surprisingly there are bunch of user using weak password such as “Passwd11”, “Paasword88”, etc. so i conclude the builtin password policy in ClearOS is not good enough to prevent it.
Based on my experience create and modifying ClearOS module (as it’s just a PHP code) i modified ClearOS user module. to increase password policy by following criteria:
- Maximum length
- Minimum length
- Minimum uppercase
- Minimum numeric character
- Minimum punctuation character
- Forbid user to use username within password
- Forbid user to use password that listed in weak password list.