Closed Bug 959794 Opened 6 years ago Closed 6 years ago

Validate password length

Categories

(Firefox for Android :: Android Sync, defect)

All
Android
defect
Not set

Tracking

()

VERIFIED FIXED
Tracking Status
firefox29 --- verified

People

(Reporter: pdehaan, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [qa+])

Attachments

(1 file)

Steps to reproduce:
1. Download and install http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/nalexander@mozilla.com-60c48d4ed251/try-android/
2. Goto (Android) Settings > Accounts > Add account > Firefox Account
3. Enter a valid email address format (peter@foo.com)
4. Enter a short password "ab".
5. Click the Create Account button.


Actual results:
Account is seemingly created with an invalid password length.


Expected results:
We should validate password length locally before sending to server and display a solid error message.
Chris, is there a defined minimum password length for FxA?
Flags: needinfo?(ckarlof)
OS: Mac OS X → Android
Hardware: x86 → All
Summary: must validate minimum password length → Validate password length
8 character minimum. No additional restrictions.
Flags: needinfo?(ckarlof)
Should be fixed by Bug 951304.  QA verification appreciated.

On create, the button should be disabled until the password is >= 8 characters long.  When signing in, the button should be disabled until the password is >= 1 character long.  This choice was made because the mocks I have don't show text about password length on sign in, and it's very strange to not have the button enabled immediately.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Flags: in-moztrap?(fennec)
Keywords: verifyme
QA Contact: aaron.train
I thought we also had a 64 char max limit?
"No additional restrictions." -- does that mean no max length?
Flags: needinfo?(ckarlof)
Status: RESOLVED → VERIFIED
Keywords: verifyme
(In reply to Richard Newman [:rnewman] from comment #6)
> "No additional restrictions." -- does that mean no max length?

We could consider doing that, but we send over a fixed length hash of the password to the FxA auth server, so there aren't DOS issues related to long passwords.

I don't see much upside in a max password length restriction at this point, other than preventing the user from creating a bad UX for themselves by choosing a 1000 char password.
Flags: needinfo?(ckarlof)
Product: Android Background Services → Firefox for Android
You need to log in before you can comment on or make changes to this bug.