Closed
Bug 1073568
Opened 10 years ago
Closed 10 years ago
LDAP password-reset form switches from accepting to rejecting a password, if you *add* a short word
Categories
(Infrastructure & Operations :: Infrastructure: LDAP, task)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: dholbert, Unassigned)
References
()
Details
STR:
1. Visit https://passwordreset.mozilla.org/
2. See whether the following passwords are accepted/rejected:
1234 abcd efgh ijkl
1234 abcd efgh ijkl hi
hi 1234 abcd efgh ijkl
ACTUAL RESULTS:
The first password is accepted as strong-enough, BUT the second and third are rejected because of the addition of "hi". The error message that appears is:
> Passphrases must be a minimum 16 characters and 4 words
> and each word must be atleast 4 characters long
This is silly; the latter two passphrases are *stronger/harder-to-crack* than the first one. If the first one is acceptable, the latter two should be as well.
EXPECTED RESULTS:
I think the analyzer really *means* to check whether your password *contains* at least 4 words of at least 4 characters. Additional words (beyond that minimum) should have no requirements placed on them.
Reporter | ||
Updated•10 years ago
|
Summary: LDAP password-reset form rejects strong passwords if you *add* a short word to the beginning → LDAP password-reset form switches from accepting to rejecting a password, if you *add* a short word
Reporter | ||
Updated•10 years ago
|
i have tested this with libpasswdqc and i cannot reproduce. this may be an issue in not24get or the implementation at passwordreset.
test case:
pwqcheck -1 min=16,16,16,16,16 max=100 passphrase=4 match=6
Flags: needinfo?(rtucker)
note: if you successfully set the password with "1234 abcd efgh ijkl" and tried again with "1234 abcd efgh ijkl hi" then it WILL be refused because your new password is too similar to your previous password.
Could that be what happened?
Flags: needinfo?(rtucker) → needinfo?(dholbert)
Reporter | ||
Comment 3•10 years ago
|
||
(In reply to Guillaume Destuynder [:kang] from comment #2)
> note: if you successfully set the password with "1234 abcd efgh ijkl" and
> tried again with "1234 abcd efgh ijkl hi"
Nope, that's not what happened. I discovered this from just playing around with the web UI, trying out new passwords.
Can you reproduce with the web UI?
Flags: needinfo?(dholbert)
Reporter | ||
Comment 4•10 years ago
|
||
Sorry, my highlighted "in reply to" chunk in my previous comment was poorly-cropped.
Anyway -- the new passwords that I tried this with (including the example one in comment 0) are in no way related to my old LDAP password.
Reporter | ||
Updated•10 years ago
|
Flags: needinfo?(gdestuynder)
Reporter | ||
Comment 5•10 years ago
|
||
(And to be clear, I'm only judging "accepted" vs. "rejected" based on whether the web form displays an error after I've typed in the password.)
ok i can reproduce that :)
Rob, it's an issue in the javascript logic indeed
Flags: needinfo?(gdestuynder) → needinfo?(rtucker)
Comment 7•10 years ago
|
||
I've made changes to the javascript file and confirmed with :kang that these password strings are accepted. Apologies as I may have misinterpreted the spec here.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(rtucker)
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•