roller-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noah Slater (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (ROL-1959) Complex passwords don't work
Date Sun, 31 Mar 2013 13:37:15 GMT

    [ https://issues.apache.org/jira/browse/ROL-1959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13618325#comment-13618325
] 

Noah Slater edited comment on ROL-1959 at 3/31/13 1:37 PM:
-----------------------------------------------------------

I use a password manager that generates passwords for me. So I copy and paste those passwords
out of the password manager, and into the form. I believe my use of a password manager in
this way constitutes very good security practice.

I am reopening this bug because I believe that when I copy and paste a password, if it is
"too long" for Roller, I should receive a validation error. The paste should not silently
truncate my password. Otherwise, every user who pastes a password that is "too long" will
be "locked out" of their account.

Scare quoted "too long" because I think "20" is arbitary, and can't think of any technical
reason a password should be limited in length. It concerns me that you mention database changes.
I hope that the password never touches the database...

Scare quoted "locked out" because obviously, I am not actually locked out. My password is
just a substring of the password I thought it was. (In fact, this is confirmed. I am back
in.)
                
      was (Author: nslater):
    I use a password manager that generates passwords for me. So I copy and paste those passwords
out of the password manager, and into the form. I believe my use of a password manager in
this way constitutes very good security practice.

I am reopening this bug because I believe that when I copy and paste a password, if it is
"too long" for Roller, I should receive a validation error. The paste should not silently
truncate my password. This will result in every user who copies and pastes a password that
is "too longer" being "locked out" of their account.

Scare quoted "too long" because I think "20" is arbitary, and can't think of any technical
reason a password should be limited in length. It concerns me that you mention database changes.
I hope that the password never touches the database...

Scare quoted "locked out" because obviously, I am not actually locked out. My password is
just a substring of the password I thought it was. (In fact, this is confirmed. I am back
in.)
                  
> Complex passwords don't work
> ----------------------------
>
>                 Key: ROL-1959
>                 URL: https://issues.apache.org/jira/browse/ROL-1959
>             Project: Roller
>          Issue Type: Bug
>            Reporter: Noah Slater
>            Assignee: Roller Unassigned
>
> Sorry for the vague ticket title. I don't want to make presumptions about the issue.
> Steps to reproduce:
> 1. Log in
> 2. Set your password to something long and complex like: xaQ}W,3tg4.VkAy4b398C9cRu8gE$vm{%f}V;L96bJyWf}#ELa
> 3. Log out
> 4. Try to log back in again
> What I see:
> I am unable to log in.
> What I expect to see:
> I am able to log in.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message