Het forum

Clarify password requirements for accounts

Auteur Antwoorden
nPrime Woensdag 17 Juli 2019 om 13:29
nPrimeAnonymous

Issues:

  • Password requirements (legal and illegal characters, length) are not explicitly stated
  • Accounts can be created with passwords that contain illegal characters without showing an error
  • Passwords can be reset to new passwords that contain illegal characters without showing an error

 

Problem scenario:

 

Someone uses a password manager to create a randomly generated password for the account. This password contains some illegal characters (unknown symbols because the site doesn't state what they are) but the account is successfully created (no error message given). When the user goes to log into the account using the password accepted during registration, they receive an error saying "Username / password do not match." The user doesn't understand why they're not able to log in.

 

The user goes to reset the password, creating another randomly generated password with the same criteria (character set). The password reset is "successful" (accepted with no errors given) but when they go to log in again, they get the same "Username / password do not match" error.

Now the user might guess that it's an issue with the site not accepting the password but they don't know why. Was the password too long? Did it contain illegal characters? They need to keep resetting their password, trying different things and testing it after each reset. I needed to reset my password 3 times before I figured out it was because of illegal characters (first time with same criteria as initial password, second time with same character set but shorter, third time more characters but alpha-numeric).

 

This sort of thing reflects pooly on the site because users could wonder if passwords are being handled securely behind the scenes as well (Are they being sent in plain text? Are they being hashed and salted? Are they being stored securely?).

Aangepast door nPrime

MaxPeal Woensdag 29 September 2021 om 18:08
MaxPealAnonymous

i have the same problem, as i use a randomly generated password.

mr_johnson22 Maandag 15 November 2021 om 6:24
mr_johnson22Anonymous

This just bit me, too. I can log in, but only after refreshing the page after an apparent failure to log in.

When I try to change my password, it fails with an error of "Sorry, your old password is wrong".

I'm not receiving any password reset emails, either.

Also, I cannot log in when trying to file a bug from the PlayOnLinux program.

psilonaut Donderdag 24 Februari 2022 om 3:44
psilonautAnonymous

Still hasnt been addressed. Bump.


 

Quentin PÂRIS Donderdag 24 Februari 2022 om 19:20
Quentin PÂRISAnonymous

Sorry for the delay, this should have been adressed now.

For the details and the records: The registration page was mistakenly escaping the password before hashing it (which is useless). Therefore, the hash was not identical when logging it.  The registration page has been reworked ; we changed the way we query the database.

There are other security enhancement that are planned to be made soon.

Feel free to ask any question, I will try to response as accurately as possible.

Quentin