Old password is still valid after password change
Bug #460950 reported by
Anuradha Ratnaweera
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libpam-ccreds (Ubuntu) |
Triaged
|
Low
|
Unassigned |
Bug Description
Binary package hint: libpam-ccreds
This is partly related to #294977.
- User logs in, ccreds caches the "old password"
- User changes the password
- Then the user goes offline without logging in again
This scenario leaves the old password valid when offline, and the new password invalid.
Should this be reported upstream? Or can libpam-ccreds used in common-password to "store" the password on success?
As also pointed out in #294977, this is a security issue if the old password has been compromised.
visibility: | private → public |
Changed in libpam-ccreds (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Low |
To post a comment you must log in.