Leave a legacy.

Bug with password reset/login page and password length

By: danatkinsontablet | 30-08-2017 12:16

Hi there,

I've noticed a problem relating to a difference between your password reset page and the login page.

On your password reset page, you (inexplicably!) restrict passwords to 25 characters in length. However this is not mentioned at all on the page. You only state the restrictions for minimum length, letters/numbers/symbols - no max length.

I use a password manager (best practice) to store my logins and usually my passwords are at least 30 characters long. When I created and pasted my password into your site, because your reset page has a max length of 25 characters on the input field, it simply truncates the rest of the password I created, and doesn't say a thing. So I update the password thinking I've now changed it to 30 characters but it's actually 25.

Then, on the login page, there is no restriction on password length, so I paste in my 30 character password and it fails - because you don't truncate your passwords on the login page.

This means that you've got a functionality difference between the reset and login pages. You restrict it on the reset page but not the login page. Further, you restrict passwords to 25 characters which is quite a small amount. I can't think of a good reason why you would restrict passwords to anything less than 100 characters. Ultimately, when the password goes into your system, it gets hashed (or it had better!) and converted into a string with a length that's the same as all the other passwords, so it has nothing to do with storage restrictions.

So, I have several points:

  1. You need to be up front about password length limits. You mention min 8 chars but don't mention max 25! You simply truncate a password longer without mentioning anything (UX flaw).
  2. Your login page has no restrictions on the password length. So if I create one in my password manager and paste it over, it's not cut cut off (UX flaw).
  3. There's no good reason why you restrict password length to that short. Seriously! If you have technical reasons, that's veryworrying (security flaw).

Thanks, Dan

Comments

by: keithwooldridge
on: 22-09-2017 20:54

Remembering such long passwords must be difficult in itself, but a good point well presented

by: ream613
on: 04-02-2018 03:00

Congratulations you are now employed!!! That presentation was very professional. Good point!

by: uvbmike
on: 27-12-2017 01:44

There are so many issues with logging in. In addition to what you point out, there's a big problem with the login process through the giffgaff app. When logged in sonetimes, some areas of the site are accessible whilst others prompt for a username and password despite already being logged in.

The Community is a good example. Often when logged in through the app, the login doesn't carry through onto the Community.

by: reimon
on: 08-12-2017 21:08

nice

by: kamile_k
on: 04-11-2017 10:23

ok

by: mila27
on: 01-11-2017 10:42

good

by: sibtahmed
on: 28-10-2017 21:32

Good idea.

by: vladi2805
on: 28-10-2017 20:31

Completely agreed with Dan!

by: cass905
on: 23-10-2017 11:18

there's bugs everywhere after every update

by: chand311
on: 22-10-2017 00:33

Agreed with Dan.