View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000637Main CAcert Websitelogged outpublic2008-09-23 14:432013-01-15 06:52
Reportersluderitz Assigned ToNEOatNHNG  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Fixed in Version2011 Q3 
Summary0000637: Password suggestion always the same
DescriptionAfter clicking on "Join" on the main site a password suggestion is given in the text. Some people will probably use that password since the text states "To get a password that will work, we suggest the following example:Fr3d Sm|7h". Unfortunately this suggestion never changes. It should either be a random generated password suggestion or the suggestion should be removed.
TagsNo tags attached.
Reviewed byTed, NEOatNHNG
Test Instructions

Relationships

related to 0000953 closedUli60 After change of password change on account.php?id=14 does not meet requirements wrong redirect 
related to 0000963 closedNEOatNHNG Logout Session not completely reset 

Activities

Ted

2011-04-03 13:12

administrator   ~0001899

I support the reporter that this bug should be fixed.

Ted

2011-04-03 19:20

administrator   ~0001900

I also noticed that there is no (explicit) minimum to the password length. "Aa1" would be accepted as a valid password. I guess passwords with fewer than 8 characters cannot be regarded as secure anymore.

Ted

2011-04-03 19:38

administrator   ~0001901

Last edited: 2011-04-04 06:39

 Checked in proposed code change to git://git-cacert.it-sls.de/cacert-devel.git, branch bug-637

INOPIAE

2011-04-15 17:47

updater   ~0001920

I found the Fr3d Sm|7h example also on the lost password page

Uli60

2011-04-21 17:58

updater   ~0001940

notification to testers sent

INOPIAE

2011-04-26 20:26

updater   ~0001943

The old password sugesstion is not visible on join and lost password page.

The Fr3d Sm|7h works still as passphrase for join.

pseudomonas

2011-05-20 17:29

reporter   ~0001970

The passphrase Fr3d Sm|7h ist still valid for join

alex

2011-05-24 22:59

reporter   ~0002002

Password suggestion on login page and lost password page is vanished. Passphrase Fr3d Sm|7h is still valid for login. Identical old and new passwords are accepted as well.

INOPIAE

2011-06-21 21:48

updater   ~0002054

Last edited: 2011-06-21 21:49

 Password suguestion Fr3d Sm|7h on login and lost password is vanished.
When password is Fr3d Sm|7h on login password renewal page is open.
The password Fr3d Sm|7h can be still entered on password change, login, password renewal.

NEOatNHNG

2011-06-21 22:38

administrator   ~0002056

New fix released (in git and deployed on cacert1). Needs second review and testing.

INOPIAE

2011-06-21 22:59

updater   ~0002059

Password suguestion Fr3d Sm|7h on login and lost password is vanished. ok
When password is Fr3d Sm|7h on login password renewal page is open. ok
The password Fr3d Sm|7h is not allowed to be entered on password change, login, password renewal. OK
On login and password renewal the change is refused with buggy behavior see bug 0000953

Uli60

2011-07-05 01:10

updater   ~0002082

1. join new user637
 a) Fred... not displayed
    -> ok
 b) enter join form with Fred... pwd
    ends in error state
    big fat red warning letters:
    "The Pass Phrase you submitted failed to contain enough
     differing characters and/or contained words from your
     name and/or email address. Only scored 0 points out of 6."
    -> ok
 c) other pwd works -> ok
2. Lost Pass Phrase
   https://cacert1.it-sls.de/index.php?id=5
   does not show Fred... pwd
   -> ok
3. Login user637 - My Details - Change Password
   Change Pass Phrase
   https://cacert1.it-sls.de/account.php?id=14
 a) Fred... not displayed
    -> ok
 b) enter passphrase Fred....
    ends in error state
    "The Pass Phrase you submitted failed to contain
     enough differing characters and/or contained words
     from your name and/or email address. Only scored
     0 points out of 6."
    -> ok
 c) other pwd works -> ok
4. Lost password
  step 1 enter email and DoB
  step 2 Lost Pass Phrase - Step 2
          no Fred... pwd suggestion displayed -> ok
          password questions
     new passphrase
     enter Fred....
  ends with error state
    big fat red warning letters:
    "The Pass Phrase you submitted failed to contain enough
     differing characters and/or contained words from your
     name and/or email address. Only scored 0 points out of 6."
    -> ok
  re-step 2
  step 2 Lost Pass Phrase - Step 2
          no Fred... pwd suggestion displayed -> ok
          password questions
     new passphrase
     enter different pwd
  passphrase changed -> ok
5. login as sysadmin
  Sysadmin - find user: user637
  change password:
    Fred... is not suggested -> ok
  entering Fred...
  accepted -> mhh
  Support should know not to use this weak password
  -> ok
6. login user637
   with weak pwd Fred....
   Red warning: For your own security you should change your pass phrase immediately! -> ok
   Fred... is not suggested
   using weak pwd again fails with error message:
   You failed to correctly enter your current Pass Phrase. -> ok
   re-login does no longer works (Incorrect email address and/or Pass Phrase)
   maybe a typo ?!?
   ok, pwd reset

   after the pwd was correctly reset and a new relogin
   there is again a warning
   Red warning: For your own security you should change your pass phrase immediately! -> not ok
   new password
   passphrase updated

   relogin user637
   there is again a warning
   Red warning: For your own security you should change your pass phrase immediately! -> not ok
   new password
   passphrase updated

   relogin user637
   there is again a warning
   Red warning: For your own security you should change your pass phrase immediately! -> not ok
   break
   walk thru My Details - Change Password
   new password
   passphrase updated

   relogin user637
   there is again a warning
   Red warning: For your own security you should change your pass phrase immediately! -> not ok
   break
   logout
   browser restart

   relogin user637
   using "other" pwd
   Warning message disappeared

alex

2011-07-12 21:02

reporter   ~0002115

1. Login with existing user with default password "Fred"

Results in:
For your own security you should change your pass phrase immediately!
Change Pass Phrase
Old Pass Phrase:
New Pass Phrase*:
Pass Phrase Again*:

2. Entering old, existing password in both old and new fields

Results in:
The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored -1 points out of 6.

3. Working is still possible

4. Logout

5. Login

Results in:
Procedure restarts from beginning

6. Changing Password
   + My Details -> Change Password
   "Fred" -> etwas kurzes

Results in:
The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored 2 points out of 6.

7. Login + Login

Results in:
For your own security you should change your pass phrase immediately!
Change Pass Phrase
Old Pass Phrase:
New Pass Phrase*:
Pass Phrase Again*:

8. Changing Password
   "Fred" -> 'etwas schwieriges'

Results in:
Your Pass Phrase has been updated and your primary email account has been notified of the change.

9. Changing Password to "Fred"

Results in:
The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored -1 points out of 6.

9. Changing Password to something acceptable

=> Overall: Test succeeded

INOPIAE

2011-07-23 09:22

updater   ~0002184

1. Try to join with Fr3d Sm|7h -> not allowed => ok
2. Change pwd to Fr3d Sm|7h over admin console
login with Fr3d Sm|7h -> moves to change pwd -> enter Fr3d Sm|7h -> shows that "The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored 2 points out of 6." => ok

login with Fr3d Sm|7h -> moves to change pwd -> enter new allowed pwd. -> shows "Your Pass Phrase has been updated and your primary email account has been notified of the change." => ok

3. login in with vaild pwd -> goto change pwd -> enter Fr3d Sm|7h as new pwd ->
shows "The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored -1 points out of 6." => ok

Ted

2011-07-24 21:10

administrator   ~0002193

Reviewed commits a3d7949c04a06539a8a0982968f711b7832d8672 versus e7368868ba88433956ad034fb7883d2dcd9566be.

Code changes approved.

Ted

2011-07-24 21:40

administrator   ~0002194

Test with account creation:
Password "simple" fails => ok
Password "TooSimple" fails => ok
Password "Fr3d Sm|7h" fails => ok
Password "Really g00d password!" is accepted => ok

Changing password for existing account:
Password "simple" fails => ok
Password "TooSimple" fails => ok
Password "Fr3d Sm|7h" fails => ok
Password "Really g00d password!" is accepted => ok
Logout and login: good password works ==> ok

Changing password with admin console, then login:
Password "simple": password change requested => ok
Password "TooSimple": password change requested => ok
Password "Fr3d Sm|7h": password change requested => ok
Password "Really g00d password!": password change not requested => ok

Note that when changing a simple password to a valid one, logging out and logging in again a password change is also requested! If the browser is restarted after logging out everything works fine. Seems like the session does not get deleted cleanly on logout?

Overall result: Please evaluate if the session problem can be fixed!

Ted

2011-07-27 07:21

administrator   ~0002213

The session problem now has its own bug (0000963).

Since it also is a minor issue I'd say this patch can be deployed.

NEOatNHNG

2011-08-01 01:21

administrator   ~0002229

Mail sent to critical admins.

wytze

2011-08-01 14:41

developer   ~0002235

Patch applied to production system on August 1, 2011. See also:
https://lists.cacert.org/wws/arc/cacert-systemlog/2011-08/msg00000.html

Issue History

Date Modified Username Field Change
2008-09-23 14:43 sluderitz New Issue
2011-04-03 13:12 Ted Note Added: 0001899
2011-04-03 19:20 Ted Note Added: 0001900
2011-04-03 19:38 Ted Note Added: 0001901
2011-04-04 06:39 Ted Note Edited: 0001901
2011-04-15 17:47 INOPIAE Note Added: 0001920
2011-04-21 17:58 Uli60 Note Added: 0001940
2011-04-26 20:26 INOPIAE Note Added: 0001943
2011-05-20 17:29 pseudomonas Note Added: 0001970
2011-05-24 22:59 alex Note Added: 0002002
2011-06-14 21:48 NEOatNHNG Assigned To => egal
2011-06-14 21:48 NEOatNHNG Status new => needs work
2011-06-19 16:53 NEOatNHNG Source_changeset_attached => cacert-devel master 216236e1
2011-06-19 16:53 NEOatNHNG Source_changeset_attached => cacert-devel master 33a830c1
2011-06-21 21:48 INOPIAE Note Added: 0002054
2011-06-21 21:49 INOPIAE Note Edited: 0002054
2011-06-21 22:38 NEOatNHNG Note Added: 0002056
2011-06-21 22:38 NEOatNHNG Assigned To egal => NEOatNHNG
2011-06-21 22:38 NEOatNHNG Status needs work => needs review & testing
2011-06-21 22:41 INOPIAE Relationship added related to 0000953
2011-06-21 22:59 INOPIAE Note Added: 0002059
2011-06-21 23:46 NEOatNHNG Source_changeset_attached => cacert-devel master c3809213
2011-06-21 23:57 NEOatNHNG Source_changeset_attached => cacert-devel master c3809213
2011-06-21 23:57 NEOatNHNG Source_changeset_attached => cacert-devel master e7368868
2011-06-21 23:57 NEOatNHNG Source_changeset_attached => cacert-devel master 62f99b56
2011-06-21 23:57 NEOatNHNG Source_changeset_attached => cacert-devel master 325b123b
2011-06-21 23:57 NEOatNHNG Source_changeset_attached => cacert-devel master 216236e1
2011-06-21 23:57 NEOatNHNG Source_changeset_attached => cacert-devel master 33a830c1
2011-06-22 00:09 NEOatNHNG Source_changeset_attached => cacert-devel master c3809213
2011-06-22 00:09 NEOatNHNG Source_changeset_attached => cacert-devel master e7368868
2011-06-22 00:09 NEOatNHNG Source_changeset_attached => cacert-devel master 62f99b56
2011-06-22 00:09 NEOatNHNG Source_changeset_attached => cacert-devel master 325b123b
2011-06-22 00:09 NEOatNHNG Source_changeset_attached => cacert-devel master 216236e1
2011-06-22 00:09 NEOatNHNG Source_changeset_attached => cacert-devel master 33a830c1
2011-07-02 01:56 NEOatNHNG Reviewed by => NEOatNHNG
2011-07-05 01:10 Uli60 Note Added: 0002082
2011-07-12 21:02 alex Note Added: 0002115
2011-07-23 09:22 INOPIAE Note Added: 0002184
2011-07-24 21:10 Ted Note Added: 0002193
2011-07-24 21:11 Ted Reviewed by NEOatNHNG => Ted, NEOatNHNG
2011-07-24 21:11 Ted Status needs review & testing => needs testing
2011-07-24 21:40 Ted Note Added: 0002194
2011-07-26 21:26 Uli60 Relationship added related to 0000963
2011-07-27 07:21 Ted Note Added: 0002213
2011-07-27 07:21 Ted Status needs testing => ready to deploy
2011-08-01 01:21 NEOatNHNG Note Added: 0002229
2011-08-01 01:35 NEOatNHNG Source_changeset_attached => cacert-devel release 42307079
2011-08-01 14:41 wytze Note Added: 0002235
2011-08-01 14:41 wytze Status ready to deploy => closed
2011-08-01 14:41 wytze Resolution open => fixed
2013-01-15 06:52 Werner Dworak Fixed in Version => 2011 Q3