Forgot your password? Confusing message when new password does not fit the pw_regex
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
New
|
Wishlist
|
Unassigned |
Bug Description
Evergreen 2.10.4
When a patron uses the "Forgot your password?" link the resulting reset form will return a confusing message if the password does not fit the ps_regex.
We have a password regex that allows a variety of characters but not all. When a patron tried to use a complex password like "E9*km(
“The password you chose was not considered complex enough to protect your account. Your password has not been reset."
This results in the patron trying ever more complex passwords when in reality they used an unsupported character.
I think this is a limit of "check_
sub check_password_
my ($password, $pw_regex) = @_;
$pw_regex = qr/$pw_regex/;
if ($password !~ /$pw_regex/) {
return 0;
}
return 1;
}
As far as I can tell that function isn't really checking strength.
tags: | added: patron wishlist |
tags: |
added: opac-account removed: wishlist |
Changed in evergreen: | |
importance: | Undecided → Wishlist |
Given that Evergreen sites can customize the regex in any number of ways, I think it is in their best interest to customize this message in password_reset.tt2 to clearly define what the user needs to use for a password. I don't think there is a way to supply a generic message that covers all cases.
I'm inclined to say this is not a bug, but I'm open to other opinions on this issue.