Closed
Bug 575340
Opened 14 years ago
Closed 14 years ago
When resetting the password, there is still a "maxlength" on the "New Password" fields
Categories
(Bugzilla :: User Accounts, defect)
Bugzilla
User Accounts
Tracking
()
RESOLVED
FIXED
Bugzilla 3.6
People
(Reporter: mcoates, Assigned: reed)
References
Details
Attachments
(1 file)
765 bytes,
patch
|
mkanat
:
review+
|
Details | Diff | Splinter Review |
Issue When moving through the forgot password flow, the user is eventually prompted to enter a new password. This page enforces a maximum length (via password text box length) for the entered password. This length is not enforced on the actual login page. As a result a user entering a long password may not realize that the last characters are not actually being accepted since the maximum characters have been entered. This results in the user thinking their password is one value, when its actually another. Since the real login page doesn't truncate the user receives a failed login each time. Recommended Remediation Set the max password length the same for each password text box (pass reset fields and actual login field). Alternatively, modify the length and set it to a very high value that will not typically be met.
Comment 1•14 years ago
|
||
Ah, thanks for catching this! However, on trunk, the max password length is totally gone, so this isn't an issue anymore. I forget which version we fixed it in--might even be 3.6.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
Assignee | ||
Comment 2•14 years ago
|
||
It's still an issue on trunk. I have a patch almost ready.
Assignee: user-accounts → reed
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Assignee | ||
Comment 3•14 years ago
|
||
and just because it's fixed on trunk doesn't mean we shouldn't fix older branches, too.
Status: REOPENED → ASSIGNED
Updated•14 years ago
|
Severity: normal → minor
Target Milestone: --- → Bugzilla 3.6
Assignee | ||
Comment 4•14 years ago
|
||
Remove both the size and maxlength parameters from the new password <input>s, as they aren't needed.
Attachment #454630 -
Flags: review?(mkanat)
Assignee | ||
Updated•14 years ago
|
Attachment #454630 -
Attachment description: patch - v1 (tip) → patch - v1 (tip/3.6)
Comment 5•14 years ago
|
||
Comment on attachment 454630 [details] [diff] [review] patch - v1 (tip/3.6) There is no reason to remove size="16". Else I guess each browser has its own default size, which is not what we want.
Assignee | ||
Comment 6•14 years ago
|
||
(In reply to comment #5) > (From update of attachment 454630 [details] [diff] [review]) > There is no reason to remove size="16". Else I guess each browser has its own > default size, which is not what we want. We don't do size="whatever" on the other password <input>s, so why do it here? It doesn't make sense, and the input boxes look fine without it.
Assignee | ||
Comment 7•14 years ago
|
||
For 3.4/3.2, we could either take the same patch and remove the maxlength, as we don't do that on any of the other password <input>s, or we could make it use USER_PASSWORD_MAX_LENGTH and add it to the other <input>s to match...
Assignee | ||
Updated•14 years ago
|
Target Milestone: Bugzilla 3.6 → Bugzilla 3.2
Updated•14 years ago
|
Target Milestone: Bugzilla 3.2 → Bugzilla 3.6
Updated•14 years ago
|
Attachment #454630 -
Flags: review?(mkanat) → review+
Updated•14 years ago
|
Flags: approval3.6+
Flags: approval+
Summary: Max Pass Length on Pass Reset Page Shorter than Login Page Max Pass Length → When resetting the password, there is still a "maxlength" on the "New Password" fields
Comment 8•14 years ago
|
||
For 3.4 and below no change will be done, because the max password length was in fact 16 characters. (For 3.2 in particular, it would be senseless to change, since it wasn't respecting any characters after the 8th.)
Assignee | ||
Comment 9•14 years ago
|
||
(In reply to comment #8) > For 3.4 and below no change will be done, because the max password length was > in fact 16 characters. Twice in the last week or so, we've had people run into this problem on 3.4 specifically (both the reporter of this bug and a separate report to bugzilla-admin@ a few days). They both thought that Bugzilla permitted longer than 16 character passwords (as the other password-related fields permit it and apparently don't complain), but when they had to reset their passwords, they ran into this maxlength. So, I think we need to fix something in this for 3.4, at least, especially after the recent complaints.
Comment 10•14 years ago
|
||
Sorry, 3.4 is locked to security fixes and that is not a security fix.
Assignee | ||
Comment 11•14 years ago
|
||
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/ modified template/en/default/account/password/set-forgotten-password.html.tmpl Committed revision 7261. Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/3.6/ modified template/en/default/account/password/set-forgotten-password.html.tmpl Committed revision 7118.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago → 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•