Closed Bug 1073568 Opened 10 years ago Closed 10 years ago

LDAP password-reset form switches from accepting to rejecting a password, if you *add* a short word

Categories

(Infrastructure & Operations :: Infrastructure: LDAP, task)

x86_64
Linux
task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: dholbert, Unassigned)

References

()

Details

STR: 1. Visit https://passwordreset.mozilla.org/ 2. See whether the following passwords are accepted/rejected: 1234 abcd efgh ijkl 1234 abcd efgh ijkl hi hi 1234 abcd efgh ijkl ACTUAL RESULTS: The first password is accepted as strong-enough, BUT the second and third are rejected because of the addition of "hi". The error message that appears is: > Passphrases must be a minimum 16 characters and 4 words > and each word must be atleast 4 characters long This is silly; the latter two passphrases are *stronger/harder-to-crack* than the first one. If the first one is acceptable, the latter two should be as well. EXPECTED RESULTS: I think the analyzer really *means* to check whether your password *contains* at least 4 words of at least 4 characters. Additional words (beyond that minimum) should have no requirements placed on them.
Summary: LDAP password-reset form rejects strong passwords if you *add* a short word to the beginning → LDAP password-reset form switches from accepting to rejecting a password, if you *add* a short word
i have tested this with libpasswdqc and i cannot reproduce. this may be an issue in not24get or the implementation at passwordreset. test case: pwqcheck -1 min=16,16,16,16,16 max=100 passphrase=4 match=6
Flags: needinfo?(rtucker)
note: if you successfully set the password with "1234 abcd efgh ijkl" and tried again with "1234 abcd efgh ijkl hi" then it WILL be refused because your new password is too similar to your previous password. Could that be what happened?
Flags: needinfo?(rtucker) → needinfo?(dholbert)
(In reply to Guillaume Destuynder [:kang] from comment #2) > note: if you successfully set the password with "1234 abcd efgh ijkl" and > tried again with "1234 abcd efgh ijkl hi" Nope, that's not what happened. I discovered this from just playing around with the web UI, trying out new passwords. Can you reproduce with the web UI?
Flags: needinfo?(dholbert)
Sorry, my highlighted "in reply to" chunk in my previous comment was poorly-cropped. Anyway -- the new passwords that I tried this with (including the example one in comment 0) are in no way related to my old LDAP password.
Flags: needinfo?(gdestuynder)
(And to be clear, I'm only judging "accepted" vs. "rejected" based on whether the web form displays an error after I've typed in the password.)
ok i can reproduce that :) Rob, it's an issue in the javascript logic indeed
Flags: needinfo?(gdestuynder) → needinfo?(rtucker)
I've made changes to the javascript file and confirmed with :kang that these password strings are accepted. Apologies as I may have misinterpreted the spec here.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(rtucker)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.