Evergreen

Forgot your password? Confusing message when new password does not fit the pw_regex

Bug #1659424 reported by Bob Wicksall on 2017-01-25

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Evergreen	New	Wishlist	Unassigned

Bug Description

Evergreen 2.10.4

When a patron uses the "Forgot your password?" link the resulting reset form will return a confusing message if the password does not fit the ps_regex.

We have a password regex that allows a variety of characters but not all. When a patron tried to use a complex password like "E9*km(IQ@M9+y@Zw";Ro.n)q.5" he received the following message:

“The password you chose was not considered complex enough to protect your account. Your password has not been reset."

This results in the patron trying ever more complex passwords when in reality they used an unsupported character.

I think this is a limit of "check_password_strength_custom" in "OpenILS/Application/Actor.pm"

sub check_password_strength_custom {
my ($password, $pw_regex) = @_;

     $pw_regex = qr/$pw_regex/;
     if ($password !~ /$pw_regex/) {
         return 0;
     }
     return 1;
}

As far as I can tell that function isn't really checking strength.

Tags:

Revision history for this message

Kathy Lussier (klussier) wrote on 2017-01-26:

Given that Evergreen sites can customize the regex in any number of ways, I think it is in their best interest to customize this message in password_reset.tt2 to clearly define what the user needs to use for a password. I don't think there is a way to supply a generic message that covers all cases.

I'm inclined to say this is not a bug, but I'm open to other opinions on this issue.

Revision history for this message

Bob Wicksall (bwicksall) wrote on 2017-01-27:

I'd argue that it is a bug or at the very least needs some refinement. It looks like if there is no regex then "check_password_strength_default" does actually check password strength in a basic way. It checks for length > 7 among other things. On the other hand when a regex is provided then "check_password_strength_custom" really only checks for valid characters in the password. In that case maybe it should return a different error.

Revision history for this message

Kathy Lussier (klussier) wrote on 2017-05-05:

I'm adding a note that there is a message in password_reset_msg.tt2 that is used to inform the user of the password format when they update their password from my account, but it doesn't appear on the password reset page. I don't think it addresses the original bug report, but it does provide some guidance to the user when they try to create a password. I'll create a new bug and post some code to get that message to display on the password reset page.

Revision history for this message

Kathy Lussier (klussier) wrote on 2017-05-05:

Correction: the file is myopac/update_password_msg.tt2, not password_reset_msg.tt2

Elaine Hardy (ehardy) on 2019-03-07

tags:

added: patron wishlist

Terran McCanna (tmccanna) on 2021-10-15

tags:	added: opac-account removed: wishlist
Changed in evergreen:
importance:	Undecided → Wishlist

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.