Passwords over 20 characters not accepted at login screen.
software for email automation (newsletters, transaction mails, etc.)
Brought to you by:
maschoff
Menu
▾
▴
#143 Passwords over 20 characters not accepted at login screen.
closed-fixed
2
2016-10-28
2015-12-24
No
When creating a user or changing a user's password to a password of a length greater than 20. The UI accepts this password as the new password. (Good!!)
However the login screen at :8080 has the password field set as:
<input type\=\"password\" name\=\"password\" maxlength\=\"20\" value\=\"\">
This means that any user that has a password longer than 20 characters. (IE using a password manager) Will recieve an error logging in as the form does not accept password greater than 20 characters in length.
Fuffy Mallow's suggested remedies
1. Remove the maxlength or document in manual how to change login screen password length defaults in files.
* This probably would also mean test what would happen should an attacker enter an unacceptably long password. Could this crash the system, could it bypass security?
-
On the user creation form/New Password form let the user know the limit is 20 and make the form accept only 20 characters as login. (Not ideal, but keeps consistancy in case somebody changed the admin password to a really long one and then could no longer get into the system through traditional means.)
-
Put the note in the PDF Manual.
Sorry I meant:
I was trying to grep my system to see if I could change it.
Last edit: FluffyMallow 2015-12-24
Bug was fixed in R3.
Last edit: Martin Aschoff 2016-10-28