Closed Bug 575340 Opened 14 years ago Closed 14 years ago

When resetting the password, there is still a "maxlength" on the "New Password" fields

Categories

(Bugzilla :: User Accounts, defect)

defect
Not set
minor

Tracking

()

RESOLVED FIXED
Bugzilla 3.6

People

(Reporter: mcoates, Assigned: reed)

References

Details

Attachments

(1 file)

Issue

When moving through the forgot password flow, the user is eventually prompted to enter a new password. This page enforces a maximum length (via password text box length) for the entered password.  This length is not enforced on the actual login page.  As a result a user entering a long password may not realize that the last characters are not actually being accepted since the maximum characters have been entered.  This results in the user thinking their password is one value, when its actually another. Since the real login page doesn't truncate the user receives a failed login each time.


Recommended Remediation
Set the max password length the same for each password text box (pass reset fields and actual login field).  Alternatively, modify the length and set it to a very high value that will not typically be met.
Ah, thanks for catching this! However, on trunk, the max password length is totally gone, so this isn't an issue anymore. I forget which version we fixed it in--might even be 3.6.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
It's still an issue on trunk. I have a patch almost ready.
Assignee: user-accounts → reed
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
and just because it's fixed on trunk doesn't mean we shouldn't fix older branches, too.
Status: REOPENED → ASSIGNED
Severity: normal → minor
Target Milestone: --- → Bugzilla 3.6
Remove both the size and maxlength parameters from the new password <input>s, as they aren't needed.
Attachment #454630 - Flags: review?(mkanat)
Attachment #454630 - Attachment description: patch - v1 (tip) → patch - v1 (tip/3.6)
Comment on attachment 454630 [details] [diff] [review]
patch - v1 (tip/3.6)

There is no reason to remove size="16". Else I guess each browser has its own default size, which is not what we want.
(In reply to comment #5)
> (From update of attachment 454630 [details] [diff] [review])
> There is no reason to remove size="16". Else I guess each browser has its own
> default size, which is not what we want.

We don't do size="whatever" on the other password <input>s, so why do it here? It doesn't make sense, and the input boxes look fine without it.
For 3.4/3.2, we could either take the same patch and remove the maxlength, as we don't do that on any of the other password <input>s, or we could make it use USER_PASSWORD_MAX_LENGTH and add it to the other <input>s to match...
Target Milestone: Bugzilla 3.6 → Bugzilla 3.2
Target Milestone: Bugzilla 3.2 → Bugzilla 3.6
Attachment #454630 - Flags: review?(mkanat) → review+
Flags: approval3.6+
Flags: approval+
Summary: Max Pass Length on Pass Reset Page Shorter than Login Page Max Pass Length → When resetting the password, there is still a "maxlength" on the "New Password" fields
For 3.4 and below no change will be done, because the max password length was in fact 16 characters. (For 3.2 in particular, it would be senseless to change, since it wasn't respecting any characters after the 8th.)
(In reply to comment #8)
> For 3.4 and below no change will be done, because the max password length was
> in fact 16 characters.

Twice in the last week or so, we've had people run into this problem on 3.4 specifically (both the reporter of this bug and a separate report to bugzilla-admin@ a few days). They both thought that Bugzilla permitted longer than 16 character passwords (as the other password-related fields permit it and apparently don't complain), but when they had to reset their passwords, they ran into this maxlength. So, I think we need to fix something in this for 3.4, at least, especially after the recent complaints.
  Sorry, 3.4 is locked to security fixes and that is not a security fix.
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified template/en/default/account/password/set-forgotten-password.html.tmpl
Committed revision 7261.
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/3.6/
modified template/en/default/account/password/set-forgotten-password.html.tmpl
Committed revision 7118.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → FIXED
Depends on: 471620
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: