Login screen doesn't detail password requirements.

Bug #647023 reported by Timmmm
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Canonical SSO provider
Won't Fix
Medium
Unassigned

Bug Description

Passwords must be at least 8 characters and contain an uppercase letter. This is public knowledge.

I have twice now had to reset my password because I couldn't remember the one I used for launchpad. The reason I couldn't remember it is because I don't normally use uppercase letters in passwords.

A simple solution to this problem is: On the login page (or perhaps the incorrect password page), state that the password much contain 8 letters and at least one uppercase letter. THIS DOES NOT COMPROMISE SECURITY IN ANY WAY AT ALL! But it would have provided me with enough information to remember what password I had used.

Revision history for this message
Māris Fogels (mars) wrote :

I am assigning this to the Registry project as Curtis is actively looking for his team to clean up the login pages (see this thread for the discussion: https://lists.launchpad.net/launchpad-dev/msg04761.html)

Curtis Hovey (sinzui)
affects: launchpad → canonical-identity-provider
Revision history for this message
Curtis Hovey (sinzui) wrote :

I am not certain this is a Launchpad issue since this is an Ubuntu SSO issue. Pages should always set user expections--No one should discover the rules to using a form after trying it :(.

As for Launchpad, I think it should like to the real Ubuntu SSO site instead misleading users into thinking Launchpad is managing their identity information.

Revision history for this message
Stuart Metcalfe (stuartmetcalfe) wrote :

I agree that we should provide a hint for users who have forgotten their password before they attempt to reset it but I think it will clutter the interface unnecessarily to display it by default. Let's add the password requirements to the password field on the login form for any incorrect login attempt and also display them in a highlighted box of some kind at the top of the 'forgot password' page. The highlighted box should probably contain some surrounding text and a link back to the login form.

Revision history for this message
Stuart Metcalfe (stuartmetcalfe) wrote :

For the surrounding text, let's use

Before you reset your password, here's a reminder of the requirements:

{password requirements text}

I've remembered my password <- this is a link back to the login form. It should pre-fill the email address field if that was previously passed in to the 'forgot password' form.

Changed in canonical-identity-provider:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Timmmm (tdhutt) wrote :

THIS STILL ISN'T FIXED!

Yes I'm shouting. Just ended up resetting my password again because my normal password doesn't have any capital letters. (Yeah yeah, using the same password, etc. etc. whatever.)

Seriously. Fix this.

NOW.

Revision history for this message
Timmmm (tdhutt) wrote :

Also, Stuart: Having the password requirements listed on the "Forgot my password" page will be almost equally annoying. It should be displayed at the point where you enter the password. And as close as possible to the password edit box, so there's a chance I will actually read it.

Something like this:

Username/email address: [ ]
Password (at least 1 uppercase letter and number): [ ]

To do anything less is to not fix this bug.

Revision history for this message
Daniel Manrique (roadmr) wrote :

The password requirement is now 8 characters, no longer requiring uppercase letters or numbers.

Changed in canonical-identity-provider:
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.