View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000637 | Main CAcert Website | logged out | public | 2008-09-23 14:43 | 2013-01-15 06:52 |
Reporter | sluderitz | Assigned To | NEOatNHNG | ||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Fixed in Version | 2011 Q3 | ||||
Summary | 0000637: Password suggestion always the same | ||||
Description | After clicking on "Join" on the main site a password suggestion is given in the text. Some people will probably use that password since the text states "To get a password that will work, we suggest the following example:Fr3d Sm|7h". Unfortunately this suggestion never changes. It should either be a random generated password suggestion or the suggestion should be removed. | ||||
Tags | No tags attached. | ||||
Reviewed by | Ted, NEOatNHNG | ||||
Test Instructions | |||||
|
I support the reporter that this bug should be fixed. |
|
I also noticed that there is no (explicit) minimum to the password length. "Aa1" would be accepted as a valid password. I guess passwords with fewer than 8 characters cannot be regarded as secure anymore. |
|
Checked in proposed code change to git://git-cacert.it-sls.de/cacert-devel.git, branch bug-637 |
|
I found the Fr3d Sm|7h example also on the lost password page |
|
notification to testers sent |
|
The old password sugesstion is not visible on join and lost password page. The Fr3d Sm|7h works still as passphrase for join. |
|
The passphrase Fr3d Sm|7h ist still valid for join |
|
Password suggestion on login page and lost password page is vanished. Passphrase Fr3d Sm|7h is still valid for login. Identical old and new passwords are accepted as well. |
|
Password suguestion Fr3d Sm|7h on login and lost password is vanished. When password is Fr3d Sm|7h on login password renewal page is open. The password Fr3d Sm|7h can be still entered on password change, login, password renewal. |
|
New fix released (in git and deployed on cacert1). Needs second review and testing. |
|
Password suguestion Fr3d Sm|7h on login and lost password is vanished. ok When password is Fr3d Sm|7h on login password renewal page is open. ok The password Fr3d Sm|7h is not allowed to be entered on password change, login, password renewal. OK On login and password renewal the change is refused with buggy behavior see bug 0000953 |
|
1. join new user637 a) Fred... not displayed -> ok b) enter join form with Fred... pwd ends in error state big fat red warning letters: "The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored 0 points out of 6." -> ok c) other pwd works -> ok 2. Lost Pass Phrase https://cacert1.it-sls.de/index.php?id=5 does not show Fred... pwd -> ok 3. Login user637 - My Details - Change Password Change Pass Phrase https://cacert1.it-sls.de/account.php?id=14 a) Fred... not displayed -> ok b) enter passphrase Fred.... ends in error state "The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored 0 points out of 6." -> ok c) other pwd works -> ok 4. Lost password step 1 enter email and DoB step 2 Lost Pass Phrase - Step 2 no Fred... pwd suggestion displayed -> ok password questions new passphrase enter Fred.... ends with error state big fat red warning letters: "The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored 0 points out of 6." -> ok re-step 2 step 2 Lost Pass Phrase - Step 2 no Fred... pwd suggestion displayed -> ok password questions new passphrase enter different pwd passphrase changed -> ok 5. login as sysadmin Sysadmin - find user: user637 change password: Fred... is not suggested -> ok entering Fred... accepted -> mhh Support should know not to use this weak password -> ok 6. login user637 with weak pwd Fred.... Red warning: For your own security you should change your pass phrase immediately! -> ok Fred... is not suggested using weak pwd again fails with error message: You failed to correctly enter your current Pass Phrase. -> ok re-login does no longer works (Incorrect email address and/or Pass Phrase) maybe a typo ?!? ok, pwd reset after the pwd was correctly reset and a new relogin there is again a warning Red warning: For your own security you should change your pass phrase immediately! -> not ok new password passphrase updated relogin user637 there is again a warning Red warning: For your own security you should change your pass phrase immediately! -> not ok new password passphrase updated relogin user637 there is again a warning Red warning: For your own security you should change your pass phrase immediately! -> not ok break walk thru My Details - Change Password new password passphrase updated relogin user637 there is again a warning Red warning: For your own security you should change your pass phrase immediately! -> not ok break logout browser restart relogin user637 using "other" pwd Warning message disappeared |
|
1. Login with existing user with default password "Fred" Results in: For your own security you should change your pass phrase immediately! Change Pass Phrase Old Pass Phrase: New Pass Phrase*: Pass Phrase Again*: 2. Entering old, existing password in both old and new fields Results in: The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored -1 points out of 6. 3. Working is still possible 4. Logout 5. Login Results in: Procedure restarts from beginning 6. Changing Password + My Details -> Change Password "Fred" -> etwas kurzes Results in: The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored 2 points out of 6. 7. Login + Login Results in: For your own security you should change your pass phrase immediately! Change Pass Phrase Old Pass Phrase: New Pass Phrase*: Pass Phrase Again*: 8. Changing Password "Fred" -> 'etwas schwieriges' Results in: Your Pass Phrase has been updated and your primary email account has been notified of the change. 9. Changing Password to "Fred" Results in: The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored -1 points out of 6. 9. Changing Password to something acceptable => Overall: Test succeeded |
|
1. Try to join with Fr3d Sm|7h -> not allowed => ok 2. Change pwd to Fr3d Sm|7h over admin console login with Fr3d Sm|7h -> moves to change pwd -> enter Fr3d Sm|7h -> shows that "The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored 2 points out of 6." => ok login with Fr3d Sm|7h -> moves to change pwd -> enter new allowed pwd. -> shows "Your Pass Phrase has been updated and your primary email account has been notified of the change." => ok 3. login in with vaild pwd -> goto change pwd -> enter Fr3d Sm|7h as new pwd -> shows "The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored -1 points out of 6." => ok |
|
Reviewed commits a3d7949c04a06539a8a0982968f711b7832d8672 versus e7368868ba88433956ad034fb7883d2dcd9566be. Code changes approved. |
|
Test with account creation: Password "simple" fails => ok Password "TooSimple" fails => ok Password "Fr3d Sm|7h" fails => ok Password "Really g00d password!" is accepted => ok Changing password for existing account: Password "simple" fails => ok Password "TooSimple" fails => ok Password "Fr3d Sm|7h" fails => ok Password "Really g00d password!" is accepted => ok Logout and login: good password works ==> ok Changing password with admin console, then login: Password "simple": password change requested => ok Password "TooSimple": password change requested => ok Password "Fr3d Sm|7h": password change requested => ok Password "Really g00d password!": password change not requested => ok Note that when changing a simple password to a valid one, logging out and logging in again a password change is also requested! If the browser is restarted after logging out everything works fine. Seems like the session does not get deleted cleanly on logout? Overall result: Please evaluate if the session problem can be fixed! |
|
The session problem now has its own bug (0000963). Since it also is a minor issue I'd say this patch can be deployed. |
|
Mail sent to critical admins. |
|
Patch applied to production system on August 1, 2011. See also: https://lists.cacert.org/wws/arc/cacert-systemlog/2011-08/msg00000.html |
Date Modified | Username | Field | Change |
---|---|---|---|
2008-09-23 14:43 | sluderitz | New Issue | |
2011-04-03 13:12 | Ted | Note Added: 0001899 | |
2011-04-03 19:20 | Ted | Note Added: 0001900 | |
2011-04-03 19:38 | Ted | Note Added: 0001901 | |
2011-04-04 06:39 | Ted | Note Edited: 0001901 | |
2011-04-15 17:47 | INOPIAE | Note Added: 0001920 | |
2011-04-21 17:58 | Uli60 | Note Added: 0001940 | |
2011-04-26 20:26 | INOPIAE | Note Added: 0001943 | |
2011-05-20 17:29 | pseudomonas | Note Added: 0001970 | |
2011-05-24 22:59 | alex | Note Added: 0002002 | |
2011-06-14 21:48 | NEOatNHNG | Assigned To | => egal |
2011-06-14 21:48 | NEOatNHNG | Status | new => needs work |
2011-06-19 16:53 | NEOatNHNG | Source_changeset_attached | => cacert-devel master 216236e1 |
2011-06-19 16:53 | NEOatNHNG | Source_changeset_attached | => cacert-devel master 33a830c1 |
2011-06-21 21:48 | INOPIAE | Note Added: 0002054 | |
2011-06-21 21:49 | INOPIAE | Note Edited: 0002054 | |
2011-06-21 22:38 | NEOatNHNG | Note Added: 0002056 | |
2011-06-21 22:38 | NEOatNHNG | Assigned To | egal => NEOatNHNG |
2011-06-21 22:38 | NEOatNHNG | Status | needs work => needs review & testing |
2011-06-21 22:41 | INOPIAE | Relationship added | related to 0000953 |
2011-06-21 22:59 | INOPIAE | Note Added: 0002059 | |
2011-06-21 23:46 | NEOatNHNG | Source_changeset_attached | => cacert-devel master c3809213 |
2011-06-21 23:57 | NEOatNHNG | Source_changeset_attached | => cacert-devel master c3809213 |
2011-06-21 23:57 | NEOatNHNG | Source_changeset_attached | => cacert-devel master e7368868 |
2011-06-21 23:57 | NEOatNHNG | Source_changeset_attached | => cacert-devel master 62f99b56 |
2011-06-21 23:57 | NEOatNHNG | Source_changeset_attached | => cacert-devel master 325b123b |
2011-06-21 23:57 | NEOatNHNG | Source_changeset_attached | => cacert-devel master 216236e1 |
2011-06-21 23:57 | NEOatNHNG | Source_changeset_attached | => cacert-devel master 33a830c1 |
2011-06-22 00:09 | NEOatNHNG | Source_changeset_attached | => cacert-devel master c3809213 |
2011-06-22 00:09 | NEOatNHNG | Source_changeset_attached | => cacert-devel master e7368868 |
2011-06-22 00:09 | NEOatNHNG | Source_changeset_attached | => cacert-devel master 62f99b56 |
2011-06-22 00:09 | NEOatNHNG | Source_changeset_attached | => cacert-devel master 325b123b |
2011-06-22 00:09 | NEOatNHNG | Source_changeset_attached | => cacert-devel master 216236e1 |
2011-06-22 00:09 | NEOatNHNG | Source_changeset_attached | => cacert-devel master 33a830c1 |
2011-07-02 01:56 | NEOatNHNG | Reviewed by | => NEOatNHNG |
2011-07-05 01:10 | Uli60 | Note Added: 0002082 | |
2011-07-12 21:02 | alex | Note Added: 0002115 | |
2011-07-23 09:22 | INOPIAE | Note Added: 0002184 | |
2011-07-24 21:10 | Ted | Note Added: 0002193 | |
2011-07-24 21:11 | Ted | Reviewed by | NEOatNHNG => Ted, NEOatNHNG |
2011-07-24 21:11 | Ted | Status | needs review & testing => needs testing |
2011-07-24 21:40 | Ted | Note Added: 0002194 | |
2011-07-26 21:26 | Uli60 | Relationship added | related to 0000963 |
2011-07-27 07:21 | Ted | Note Added: 0002213 | |
2011-07-27 07:21 | Ted | Status | needs testing => ready to deploy |
2011-08-01 01:21 | NEOatNHNG | Note Added: 0002229 | |
2011-08-01 01:35 | NEOatNHNG | Source_changeset_attached | => cacert-devel release 42307079 |
2011-08-01 14:41 | wytze | Note Added: 0002235 | |
2011-08-01 14:41 | wytze | Status | ready to deploy => closed |
2011-08-01 14:41 | wytze | Resolution | open => fixed |
2013-01-15 06:52 | Werner Dworak | Fixed in Version | => 2011 Q3 |