4

On attempt to change my cPanel password I was warned that:

Your password could not be changed because the new password failed with the following reason : (is too similar to the old one), please try again!

Which is correct, my old and new passwords does differ by a single character. However that rises the question how exactly the cPanel code does know my old plain text password. Should not it be hashed?

Yordan Pavlov
  • 143
  • 4

3 Answers3

5

I just logged into cPanel and when I click to change my password it asks me for three things:

  1. My old password
  2. A new password
  3. Confirmation of the new password

Screen Shot: enter image description here

It also says that the old password cannot be empty.

This may not be exactly how cPanel does it but, it is a possibility:

  1. Since you have sent it your old password to cPanel it can hash it and see if it is equal to your password while still storing a copy of your unhashed password (in memory not on disk)
  2. Now since it has confirmed your old password hashes to the correct value it can perform tests on the plain text version (that you just barely sent it) and give an error if one of the tests fails
  3. If the new password and confirmation match store the new password.

Answer as to why it knows your old password:

You just gave it to it so it knows your previous password and stores it in RAM (not on disk). This is assuming that you are referring to your last password (the one that you're currently changing) and not to one that you used in a prior iteration.

Travis Pessetto
  • 670
  • 3
  • 6
  • Does the plaintext password leave my browser or is it hashed client side and then sent. – Yordan Pavlov Jul 25 '14 at 14:55
  • @YordanPavlov It most likely sends it as plaintext. This is not a security issue as cPanel uses SSL (at least mine does). It also won't be stored on the server for more than an few seconds. Also as I understand it RAM is much harder to extract information from than something on the file system. – Travis Pessetto Jul 27 '14 at 10:07
  • The reason I searched for this question is my domain host uses cPanel and they just asked for the last 4 characters of my password. I'm trying to figure out if they store that when I set it or if the password as plain text. "Sanjuna" of customer support won't give me an answer. – Gary Jul 02 '15 at 20:56
2

@Travis Pessetto most likely has the correct answer to your question.

I just wanted to point out that some places will do this without knowing your old plaintext password. This can be done by generating permutations of your new password and comparing each hash to your old password hash. 

Old Hash (Plaintext Unknown):
0bc16e0e8b0ed0be12f1360c70c235dd9f3127280630952e3b933c194ed406f3

New Password:
sha256('password2014')
9e9c74820bebfabb92e40b649e9954bec87f38d63a44f4b2d96eb8f3f4a21548

Check Permutations:
sha256('password2015')
8c1e97296199cc50361b252ba05b5d6b97d389a841185ba8e6fc311b390c69ce
sha256('password2013')
0bc16e0e8b0ed0be12f1360c70c235dd9f3127280630952e3b933c194ed406f3

Match Found! New password is too similar to old password!

Note: sha256 is a fast hashing algorithm, I used it only for an easy example.

David Houde
  • 5,524
  • 1
  • 28
  • 22
1

I just got an email from my hosting company. It was a link to the new cPanel access point for my sites, and the email included my cPanel username and password as plain text. This was disturbing to say the least. It lead me here where I do not see a verified answer but I am led to believe that yes it is stored as plain text somewhere unless my hosting company is storing it on their own somewhere.

Taylor Brown
  • 111
  • 3