To check the strength of the password (Calculated entropy returned from the algorithm) and return it to the caller while creating an account/user or updating a user's password.

Try to enable an interface that can be implemented as a plugin and injected at necessary places for any type of password strength checker. This way we can make sure each component/plugin can have plugins to check

password strengths on their own way. 

API Changes

The following API responses will be changed to support this as of now.

  1. CreateUserCmd
  2. UpdateUserCmd
  3. CreateAccountCmd

The following response parameter is started returning from above commands

  1. passwordstrength (a float value will be returned to the caller)


Add new Inerface "" to "server".

This interface will have the following declaration:

public Float checkPassword(String password);

This interface will have the following config keys which needs to be returned by the Configurable interface so that it gives the flexiblity to enable/enforce this through Configurable UI.

static final ConfigKey<Boolean> PasswordStrengthCheckerEnable = new ConfigKey<Boolean>("Advanced", Boolean.class, "user.password.strength.checker.enable", "false", "To enable password strength check. This will enable to check the strength and return it.", true);

If you enable this parameter then only system will check the password strength and will start return to the caller as part of API response

static final ConfigKey<Boolean> PasswordCStrengthCheckerEnforce = new ConfigKey<Boolean>("Advanced", Boolean.class, "user.password.strength.checker.enforce", "false", "To Impose the password strength. This will enforce the password rules to be verified",true);

If you enable this (With out above key value enabled enabling this will not make sense) then the system will also enforce the password strength rules for the given passwords.


it is the plugins responsibility to declare the bean that is implementing the above interface with in that plugin. Please refer (1) to know how to add a new plugin to cloudstack

Integration Points

Currently The integration points are at plugins those implement UserAuthenticator wile encoding a given password.

  1. plugins/user-authenticators/sha256salted
  2. plugins/user-authenticators/plaintext
  3. plugins/user-authenticators/md5

The sample Xml configuration to integrate the password checker plugin.

(From: spring-sha256salted-context.xml)

<bean id="SHA256SaltedUserAuthenticator" class="">
      <property name="name" value="SHA256SALT"/>
      <property name="passwordCheckers" value="#{passwordCheckersRegistry.registered}"/>

Default Plugin

cloudstack gives the following default plugin to support password checker which gets registered with Extension Registry.


It has the following bean declaration in spring-password-checker.xml

<bean id="passwordChecker" class="">
         <property name="name" value="DEFAULTPASSWORDCHECKER"/>
        <!-- Comment any of the below sections you want modify if you are having requirements which are differing with default values -->
        <!-- property name="minLength" value="8"/ -->
        <!-- property name="maxLength" value="16"/ -->
        <!-- property name="passwordCheckerPropertiesFile" value=""/ -->

It has the following property file to change the password strength rules.

    The following is the format of the file where each rule will be added in a separate line.
    pattern - Pattern to support in the password character set. Eg: @!#$%
    optional - Whether this password rule set is optional or not while enforcing the password strength 

The password strength is calculated based on the following algorithm:

  1. Password Entropy = (log (N) * L ) / log (2)
    where L is the Length of the password
     and N is the total Length of the all character sets to be involved. 



  • No labels