Documented password guidelines do not match implementation
Categories
(bugzilla.mozilla.org :: General, defect)
Tracking
()
People
(Reporter: michael, Assigned: dkl)
Details
Attachments
(1 file)
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
Steps to reproduce:
- Request a password reset for an existing account.
- Click the link in the email to display the password reset form.
- Read the password guidelines and pick a password. In this case, a password of 13 characters, including 2 uppercase letters, 1 digit, rest lowercase (which, as I read the guideline, should be compliant).
Actual results:
- Password is rejected for including too few character classes.
- Same goes for a passphrase of 4 words (not all of them real words, 5–6 characters each)
- Eventually I gave up and logged in with Github (which has laxer password policies, thus defeating any security the Mozilla password guidelines intend to provide, but is at least a workaround around bugs in the implementation).
Expected results:
- Passwords should be accepted if compliant with the documented policy.
- I would also recommend that you reconsider the password policy. If multiple realms of authentication are allowed, security can never be stronger than the weakest password policy. If your password policy is not the weakest of them all, it is good enough and anything else is overkill.
- Password policy again: we are not in a corporate setting where user accounts give access to confidential data. If a Bugzilla account is hacked, the main risk I see is that a user’s reputation may get abused for spam, posting phishing/malware links, or unacceptable content. It is in the user’s interest to prevent that from happening, thus password security should be the user’s decision. Maybe consider displaying a warning (“your password is not very secure, we suggest you go back and change it to something that complies with…”) instead.
I have the same bug. My password follows the guidelines; it contains upper case, lower case, and number characters, and has 12+ characters (won't specify exact number for obvious reasons). It was still rejected for not having enough character classes, even though the above matches the guidelines.
Also, is there a reason for having such stringent password requirements on a support forum? I feel that this trend of stringent password requirements on services which absolutely don't require them is a modern plague. Prescribing what users should do in this way causes a waste of time and effort on the part of the users.
|
||
Comment 2•2 years ago
|
||
A concrete example: I tried to change my bugzilla.mozilla.org password to the following:
hvymcwedgjfjA0
I think it meets all the requirements, but it was rejected. It was satisfied after I added a "!" character to the end of a similar password (12 random lowercase letters followed by "A0!"). These are the instructions I saw:
To change your password, enter a new password twice.
In order to protect your account, bugzilla.mozilla.org (BMO) requires you choose a strong password.
Our minimum requirements for passwords are:
must be at least 12 characters in length
must not contain parts of your email address, or your real name
must be complex, which means:
must be a passphrase of at least four words
OR
must contain a mixture of letters and symbols, containing characters from 3 out of the following 4 character classes:
lowercase letters, uppercase letters, numbers, and other symbols
We also recommend you use a password manager such as Firefox Lockwise, Bitwarden, 1Password, or LastPass to manage unique passwords for each site you use.
|
Assignee | |
Comment 3•2 years ago
|
||
|
|
Assignee | |
Comment 4•2 years ago
|
||
Description
•