Closed
Bug 1400949
Opened 7 years ago
Closed 7 years ago
Password requirements not stated
Categories
(bugzilla.mozilla.org :: General, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: christoph, Assigned: dylan)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 Build ID: 20170824053622 Steps to reproduce: Logged in to https://bugzilla.mozilla.org with a password that does not satisfy complexity rules. Actual results: I was prompted for a new password, with the website informing me that the current password was "too shor" (sic!). There was no hint how long the new password should be, nor an obvious link to such information. Even when I entered a new password that was also deemed to short, I got no such information. Expected results: While prompting me for a new password, the webside should have informed me not only that the current password was "too short" (mind the "t"!), but also what the required length actually is. Ideally, it should have informed me of the full password complexity rules, or provided me with an obvious link to such information. (Technically, *I* would have expected the password to be long enough in the first place. How long and complex a password are we supposed to remember on sites we rarely visit?! Sure, I guess it makes sense to require super-duper-secure passwords for people with a lot of access rights; but then maybe the proper way is to have different complexity rules for different user groups, rather than impose Fort Knox-level passwords on all users.)
Assignee | ||
Updated•7 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Updated•7 years ago
|
Assignee: general → nobody
Component: Bugzilla-General → General
Product: Bugzilla → bugzilla.mozilla.org
QA Contact: default-qa
Version: unspecified → Production
Assignee | ||
Comment 1•7 years ago
|
||
So the minimum is 16 characters regardless of character classes used. I assume the default configuration of passwdqc isn't secure enough, but I wonder if the limit should be lower for Int3/Int4... This is but a configuration value, so perhaps Emma and Kang can have a discussion about meeting the security needs vs. contributors. To the reporter: If you like, you can login using GitHub without having a password at all -- in fact you may login with github even if you are using a password.
Assignee | ||
Updated•7 years ago
|
I suspect that if we move Bugzilla to federated logins for this is a a moot point as passwords are enforced by GitHub and LDAP instead, but otherwise yes - our default standard is the same for all users regardless of access. For example, if you were copied on a sensitive bug, Bugzilla would otherwise have to ask you to "change your password to something stronger" before you would get access, which is also a bad UX situation, unfortunately. The federated login option story is a little better in that regard if we decide to implement it, though it would still require some "account upgrade" mechanism when added to a sensitive bug as well if we decided to have different policies depending on your access. In the mean time I would recommend the usage of a password manager, which makes the length of a password less of an issue in day to day operations for users (since it just records it anyway)
Flags: needinfo?(gdestuynder)
I agree that using a PW manager is the best way to deal with this and recommended by security professionals. https://slackhq.com/two-simple-steps-to-safer-passwords-6af7bfe175c5 I'm going to close this as WONTFIX, and will open a bug to update the change password view with a note suggesting the user use a password manager.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(ehumphries)
Resolution: --- → WONTFIX
See Also: → 1400987
Reporter | ||
Comment 4•7 years ago
|
||
Please re-open: While I did take the opportunity to voice my opinion about the actual password complexity rules in place, the primary issue (as per the title) is that the user isn't informed about the required pwd length, and that they have to find it out by trial and error instead.
This will be addressed in the "see also" bug.
Assignee | ||
Updated•7 years ago
|
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → dylan
Comment 8•7 years ago
|
||
State the required length and any other requirements, for example at least one upper-case an one lower-case character, one number, one special character and state the set of allowable special characters in that case.
Assignee | ||
Updated•7 years ago
|
Summary: Minimum password length not indicated → Password requirements not stated
Assignee | ||
Comment 9•7 years ago
|
||
Assignee | ||
Updated•7 years ago
|
Attachment #8909600 -
Flags: review?(glob)
Comment 10•7 years ago
|
||
Comment on attachment 8909600 [details] [review] patch r=glob
Attachment #8909600 -
Attachment description: WIP.patch → patch
Attachment #8909600 -
Flags: review?(glob) → review+
Assignee | ||
Updated•7 years ago
|
Status: REOPENED → RESOLVED
Closed: 7 years ago → 7 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•