Compleity Requirements

I would love to see dreamhost add an option to enable password complexity requirements on the email system.

Why? We already have the option to make email passwords as complex or simple as we want.

This is a great idea. Some clients may be tempted to use simple passwords that could result in an easy breach from a brute force attack which we would be responsible for as the paying customer. Enforcing complexity such as one uppercase character, one number and one symbol is really the simplest way to avoid these kinds of problems.

One needs to justify why forcing password complexity is a good idea. It seems to be more generally understood that length of passwords is a lot more effective at slowing down brute-force attacks. A good read on this topic:

From the thousands of clients I have worked with (I’ve worked at WP Engine and Pagely), most sites are brute-forced on very simple passwords (colours, names etc), especially WordPress sites rather than some vulnerability from a plugin, theme or WordPress itself. Still, that’s exactly the purpose of enforcing complexity - to slow down a brute force attack. Preventing attacks is something that needs to be done proactively too so complexity + disabling accounts after X amount of failed login attempts is enough to protect an account. The same thing applies to dual-logins, (http auth + cms login), 2 step verification etc.

The article you’ve shown is an opinion from a regular person who owns a company that generates less than £10k of revenue a year, not a security or psychological expert. It’s safer to enforce complexity and let a customer write down the password than it is to let the customer use the password “yellow1” because most breaches are done from a remote location, guessed or brute-forced, not by someone who has physical access to you or your possessions. Even using a password manager is safer because it gets users in the habit of generating different passwords for every account so if one is breached, the rest are safe.

When you have car insurance, you don’t expect to have an accident every day but it does give you peace of mind. With the same principle, even if DreamHost has a low number of breaches, it’s still about giving peace of mind. Giving us the option to enforcing SSL on webmail is another way to protect our clients who use open WiFi hotspots to login.

The reality is, people don’t fully understand the gravity of what occurs when their email is hacked until it’s too late. They need to be forced to protect themselves, not asked.

That, quite frankly, is a little too totalitarian for my tastes.

WordPress and other CMS’s already tell you if a new password is weak or strong (or something in between). I would much prefer that approach.

There’s nothing totalitarian about minimum complexity/length requirements for passwords. As the old adage goes, your system is only as strong as its weakest link. And most people accept defaults. If they can make passwords like “p@$$word”, “123456789”, “admin”, etc., then they will. The default should be to require strong passwords.

I would support this on a case by case basis where you could set and enforce your own rules (much the way Moodle handles it). However, I neither need nor want this feature, and I shouldn’t have it forced on me because others have lazy clients. I already lost sudo, what more is Dreamhost going to take away?

DreamHost allowed those who really wanted sudo to keep it. You had to ask, though.

I never did say force, I stated that I would love if DreamHost would add an OPTION for owners to enable and configure.