Вы находитесь здесь

Форум

Clarify password requirements for accounts

Автор Replies
nPrime Wednesday 17 July 2019 at 13:29
nPrimeAnonymous

Issues:

  • Password requirements (legal and illegal characters, length) are not explicitly stated
  • Accounts can be created with passwords that contain illegal characters without showing an error
  • Passwords can be reset to new passwords that contain illegal characters without showing an error

 

Problem scenario:

 

Someone uses a password manager to create a randomly generated password for the account. This password contains some illegal characters (unknown symbols because the site doesn't state what they are) but the account is successfully created (no error message given). When the user goes to log into the account using the password accepted during registration, they receive an error saying "Username / password do not match." The user doesn't understand why they're not able to log in.

 

The user goes to reset the password, creating another randomly generated password with the same criteria (character set). The password reset is "successful" (accepted with no errors given) but when they go to log in again, they get the same "Username / password do not match" error.

Now the user might guess that it's an issue with the site not accepting the password but they don't know why. Was the password too long? Did it contain illegal characters? They need to keep resetting their password, trying different things and testing it after each reset. I needed to reset my password 3 times before I figured out it was because of illegal characters (first time with same criteria as initial password, second time with same character set but shorter, third time more characters but alpha-numeric).

 

This sort of thing reflects pooly on the site because users could wonder if passwords are being handled securely behind the scenes as well (Are they being sent in plain text? Are they being hashed and salted? Are they being stored securely?).

Edited by nPrime

MaxPeal Wednesday 29 September 2021 at 18:08
MaxPealAnonymous

i have the same problem, as i use a randomly generated password.

mr_johnson22 Monday 15 November 2021 at 6:24
mr_johnson22Anonymous

This just bit me, too. I can log in, but only after refreshing the page after an apparent failure to log in.

When I try to change my password, it fails with an error of "Sorry, your old password is wrong".

I'm not receiving any password reset emails, either.

Also, I cannot log in when trying to file a bug from the PlayOnLinux program.

psilonaut Thursday 24 February 2022 at 3:44
psilonautAnonymous

Still hasnt been addressed. Bump.


 

Quentin PÂRIS Thursday 24 February 2022 at 19:20
Quentin PÂRISAnonymous

Sorry for the delay, this should have been adressed now.

For the details and the records: The registration page was mistakenly escaping the password before hashing it (which is useless). Therefore, the hash was not identical when logging it.  The registration page has been reworked ; we changed the way we query the database.

There are other security enhancement that are planned to be made soon.

Feel free to ask any question, I will try to response as accurately as possible.

Quentin

Вы находитесь здесь: Index > Website > Clarify password requirements for accounts