-
Password edit maxlength isn't being validated properly
I generate 64 char length passwords nowadays. I changed my password and couldn't log in and had to change it again. I did this twice before realizing the site restricts password size to 50 through the "maxlength" HTML attribute. ( https://www.ownedcore.com/forums/pro...o=editpassword )
Since it's not actually being validated, I was able to edit it to make my password 64 chars long, the database accepted it and I was able to log in properly with the 64 char length password afterwards.
Keep in mind this means 2 things:
- Users have no feedback when they hit or exceed the character limit. Bad user experience.
- The front end and back end validation isn't the same, which can lead to data corruption in some cases. -- I haven't tested how many characters the DB will accept, but it would be worth checking that it is being validated on that side as well.
It's a frustrating user experience and anybody with a > 50 char password will have enough knowledge, when faced with a bug involving password or authentication, to question the credibility of the site.
What's a Parog?
Looking for competitive Valorant team!
-
Post Thanks / Like - 1 Thanks
ev0 (1 members gave Thanks to Parog for this useful post)
-
simple HTML edit, I'll ping Zab
-
I mean, 50 is an odd number for a limit, but IMO that attribute shouldn't be used to enforce the actual password limit as it gives no feedback to the user and there is no actual validation done before submitting.
Ideally you'd have either a client-side validation to save server resources, but since this one doesn't require a DB query, you could just add a check for it and give feedback to the user via the vBulletin standard error message, like you do on the very same form with the email.
All in all, in scenarios where this would happen, you'd save the DB queries the user will have to do when doing the whole password reset procedure since they can't log in.
Last edited by Parog; 09-25-2020 at 11:23 AM.
What's a Parog?
Looking for competitive Valorant team!
-
Member
Originally Posted by
Parog
I generate 64 char length passwords nowadays. I changed my password and couldn't log in and had to change it again. I did this twice before realizing the site restricts password size to 50 through the "maxlength" HTML attribute. (
https://www.ownedcore.com/forums/pro...o=editpassword )
Since it's not actually being validated, I was able to edit it to make my password 64 chars long, the database accepted it and I was able to log in properly with the 64 char length password afterwards.
Keep in mind this means 2 things:
- Users have no feedback when they hit or exceed the character limit. Bad user experience.
- The front end and back end validation isn't the same, which can lead to data corruption in some cases. -- I haven't tested how many characters the DB will accept, but it would be worth checking that it is being validated on that side as well.Account Suspended
It's a frustrating user experience and anybody with a > 50 char password will have enough knowledge, when faced with a bug involving password or authentication, to question the credibility of the site.
I have also tried to change my password but after generating the password it's taking too long to validate. Tried for more than thrice but the result doesn't change. Account Suspended
Last edited by stevenDS; 08-26-2021 at 02:08 PM.