#6997 User account passwords have unvalidated hidden requirements

self-service
password (9)
2014-03-05
2014-03-05
No

There appear to be some hidden password requirements for user accounts that aren't validated on password change.

Unable to log in to my account, I used the password reset link sent to me in an email (which is reusable, btw, and probably shouldn't be), and set a few different passwords before I found one that worked. For ones that didn't work, the password reset completed successfully, but logging in using the newly-set password failed.

Passwords of 80 characters failed, even when only alphanumeric. Alphanumeric passwords of 20 characters are usable. I haven't experimented more to find the exact breaking conditions.

In case it isn't obvious, I use extremely long passwords because they're stored in a password manager; if I'm not going to be remembering or typing them, I figure I might as well make brute-forcing impossible for many years to come.

Discussion

  • Anonymous - 2014-03-05

    We're working on replacing our authentication system entirely. As such, the current system isn't going to be modified. This is definitely an issue though and we'll make sure that the new authentication system is not affected by this.

    Regards,
    Chris Tsai, SourceForge.net Support

     
  • Anonymous - 2014-03-05
    • status: unread --> self-service
    • assigned_to: Chris Tsai
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks