Forums

Issues:

• Password requirements (legal and illegal characters, length) are not explicitly stated
• Accounts can be created with passwords that contain illegal characters without showing an error
• Passwords can be reset to new passwords that contain illegal characters without showing an error

 

Problem scenario:

 

Someone uses a password manager to create a randomly generated password for the account. This password contains some illegal characters (unknown symbols because the site doesn't state what they are) but the account is successfully created (no error message given). When the user goes to log into the account using the password accepted during registration, they receive an error saying "Username / password do not match." The user doesn't understand why they're not able to log in.

 

The user goes to reset the password, creating another randomly generated password with the same criteria (character set). The password reset is "successful" (accepted with no errors given) but when they go to log in again, they get the same "Username / password do not match" error.

Now the user might guess that it's an issue with the site not accepting the password but they don't know why. Was the password too long? Did it contain illegal characters? They need to keep resetting their password, trying different things and testing it after each reset. I needed to reset my password 3 times before I figured out it was because of illegal characters (first time with same criteria as initial password, second time with same character set but shorter, third time more characters but alpha-numeric).

 

This sort of thing reflects pooly on the site because users could wonder if passwords are being handled securely behind the scenes as well (Are they being sent in plain text? Are they being hashed and salted? Are they being stored securely?).

Edité par nPrime

i have the same problem, as i use a randomly generated password.

This just bit me, too. I can log in, but only after refreshing the page after an apparent failure to log in.

When I try to change my password, it fails with an error of "Sorry, your old password is wrong".

I'm not receiving any password reset emails, either.

Also, I cannot log in when trying to file a bug from the PlayOnLinux program.

Still hasnt been addressed. Bump.

 

Sorry for the delay, this should have been adressed now.

For the details and the records: The registration page was mistakenly escaping the password before hashing it (which is useless). Therefore, the hash was not identical when logging it.  The registration page has been reworked ; we changed the way we query the database.

There are other security enhancement that are planned to be made soon.

Feel free to ask any question, I will try to response as accurately as possible.

Quentin

Thank you, Quentin, my issue is slightly different I am able to log in with my password, but that password is in security breach, so I need to change it, so I log in into my account, no issues when I tried to change my passwd show an error message about the provide password is incorrect. and I cannot pass from there even I have been using passwd generator or simple passwds always same message.