Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password longer than 64 characters is accepted on registration #3790

Open
MorsMortium opened this issue Apr 20, 2024 · 3 comments
Open

Password longer than 64 characters is accepted on registration #3790

MorsMortium opened this issue Apr 20, 2024 · 3 comments
Labels
bug
Milestone
1.1.10

Comments

@MorsMortium
Copy link

Describe the bug
When making a new account, the criteria for the password is not written anywhere. When pasting a longer than 64 characters password into the field, it does not display that it's too long. The registration succeeds, but when trying to log in with it, it displays "The supplied password is too long."

ElkArte info

  1. Are you sure this is a core Elkarte problem and not caused by any addon you are using? Yes
  2. What ElkArte version are you using? ElkArte 1.1.9
  3. When did the issue start?
  4. What version of PHP are you running?
  5. MySQL or PostgreSQL and what version?

To Reproduce
Steps to reproduce the behavior:

  1. Go to register page
  2. Fill out registration data, and paste a password longer than 64 character
  3. Click on Register
  4. Try to log in
  5. See "The supplied password is too long."

Expected behavior
That the register page has some text that the password has to be at most 64 characters long, and when someone uses a longer password, it warns them again, instead of accepting it.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here such as Webserver version, Database type & version, etc.
@Spuds Spuds added the bug label Apr 24, 2024
@Spuds Spuds added this to the 1.1.10 milestone Apr 24, 2024
@Spuds
Copy link
Contributor

Spuds commented Apr 24, 2024

Thank you for the report.

Looking at this there are two options.

  1. Perform the length check and provide the feedback that the password is to long. This needs to be done during registration, and profile (when they change passwords). There would be both a JS check and then a server validation as well. Unfortunately there is not a one file fix here and a two language strings need to be introduced.

  2. Accept the long password, as much as the form will allow in length and do a simple truncate at 64characters with no feedback. The system would simply use the first 64 characters for all the crypt functions. This would probably only affect a couple of files.

If you have a preference, let me know.

@MorsMortium
Copy link
Author

The second option might be what is happening right now. At least the registration was accepted, but I didn't confirm that the password was just the truncated original, instead made a new one.

But I would prefer the first option, that is used everywhere else, and would make less of a surprise, than the first, when the registration is successful, but with a different password, than was originally supplied.

Spuds added a commit to Spuds/Elkarte that referenced this issue Apr 25, 2024
@Spuds
! close elkarte#3790 Password longer than 64 characters is accepted o…
961b2eb 
…n registration
@Spuds
Copy link
Contributor

Spuds commented Apr 25, 2024

Sounds good to me ... Spuds@961b2eb should take care of the issue during registration and password changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
1.1.10
Development

No branches or pull requests
2 participants
@Spuds @MorsMortium