Closed Bug 1400949 Opened 7 years ago Closed 7 years ago

Password requirements not stated

Categories

(bugzilla.mozilla.org :: General, defect)

Product:
bugzilla.mozilla.org
Component:
General
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: christoph, Assigned: dylan)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

patch
45 bytes, text/x-github-pull-request
glob
: review+
Details | Review 
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Build ID: 20170824053622

Steps to reproduce:

Logged in to https://bugzilla.mozilla.org with a password that does not satisfy complexity rules.


Actual results:

I was prompted for a new password, with the website informing me that the current password was "too shor" (sic!).
There was no hint how long the new password should be, nor an obvious link to such information.
Even when I entered a new password that was also deemed to short, I got no such information.


Expected results:

While prompting me for a new password, the webside should have informed me not only that the current password was "too short" (mind the "t"!), but also what the required length actually is. Ideally, it should have informed me of the full password complexity rules, or provided me with an obvious link to such information.

(Technically, *I* would have expected the password to be long enough in the first place. How long and complex a password are we supposed to remember on sites we rarely visit?! Sure, I guess it makes sense to require super-duper-secure passwords for people with a lot of access rights; but then maybe the proper way is to have different complexity rules for different user groups, rather than impose Fort Knox-level passwords on all users.)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: general → nobody
Component: Bugzilla-General → General
Product: Bugzilla → bugzilla.mozilla.org
QA Contact: default-qa
Version: unspecified → Production
So the minimum is 16 characters regardless of character classes used.
I assume the default configuration of passwdqc isn't secure enough, but I wonder if the limit should be lower for Int3/Int4...

This is but a configuration value, so perhaps Emma and Kang can have a discussion about
meeting the security needs vs. contributors.

To the reporter: If you like, you can login using GitHub without having a password at all -- in fact you may login with github even if you are using a password.
Depends on: 1391702
Flags: needinfo?(gdestuynder)
Flags: needinfo?(ehumphries)
Blocks: 1400972
Depends on: 1379668
No longer depends on: 1391702
I suspect that if we move Bugzilla to federated logins for this is a a moot point as passwords are enforced by GitHub and LDAP instead, but otherwise yes - our default standard is the same for all users regardless of access. For example, if you were copied on a sensitive bug, Bugzilla would otherwise have to ask you to "change your password to something stronger" before you would get access, which is also a bad UX situation, unfortunately.

The federated login option story is a little better in that regard if we decide to implement it, though it would still require some "account upgrade" mechanism when added to a sensitive bug as well if we decided to have different policies depending on your access.

In the mean time I would recommend the usage of a password manager, which makes the length of a password less of an issue in day to day operations for users (since it just records it anyway)
Flags: needinfo?(gdestuynder)
I agree that using a PW manager is the best way to deal with this and recommended by security professionals. https://slackhq.com/two-simple-steps-to-safer-passwords-6af7bfe175c5

I'm going to close this as WONTFIX, and will open a bug to update the change password view with a note suggesting the user use a password manager.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(ehumphries)
Resolution: --- → WONTFIX
Please re-open: While I did take the opportunity to voice my opinion about the actual password complexity rules in place, the primary issue (as per the title) is that the user isn't informed about the required pwd length, and that they have to find it out by trial and error instead.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Assignee: nobody → dylan
State the required length and any other requirements, for example at least one upper-case an one lower-case character, one number, one special character and state the set of allowable special characters in that case.
Summary: Minimum password length not indicated → Password requirements not stated
Attached file patch 

    
  

        Attachment #8909600 -
        Flags: review?(glob)

    
    

    
  
Comment on attachment 8909600 [details] [review]
patch

r=glob

        Attachment #8909600 -
        Attachment description: WIP.patch → patch

        Attachment #8909600 -
        Flags: review?(glob) → review+

    
  
Status: REOPENED → RESOLVED
Closed: 7 years ago7 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: