Password edit maxlength isn't being validated properly menu

User Tag List

Results 1 to 3 of 3
  1. #1
    Parog's Avatar Kitsune Da-O! M.L.G.
    CoreCoins Purchaser Authenticator enabled
    Reputation
    1527
    Join Date
    May 2007
    Posts
    3,174
    Thanks G/R
    540/265
    Trade Feedback
    19 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Password edit maxlength isn't being validated properly

    I generate 64 char length passwords nowadays. I changed my password and couldn't log in and had to change it again. I did this twice before realizing the site restricts password size to 50 through the "maxlength" HTML attribute. ( https://www.ownedcore.com/forums/pro...o=editpassword )

    Since it's not actually being validated, I was able to edit it to make my password 64 chars long, the database accepted it and I was able to log in properly with the 64 char length password afterwards.

    Keep in mind this means 2 things:
    • Users have no feedback when they hit or exceed the character limit. Bad user experience.
    • The front end and back end validation isn't the same, which can lead to data corruption in some cases. -- I haven't tested how many characters the DB will accept, but it would be worth checking that it is being validated on that side as well.


    It's a frustrating user experience and anybody with a > 50 char password will have enough knowledge, when faced with a bug involving password or authentication, to question the credibility of the site.
    What's a Parog?
    Looking for competitive Valorant team!

    These ads disappear when you log in.

  2. Thanks ev0 (1 members gave Thanks to Parog for this useful post)
  3. #2
    ev0's Avatar Super Moderator murlocs.com

    CoreCoins Purchaser Authenticator enabled
    Reputation
    1850
    Join Date
    Jul 2012
    Posts
    2,744
    Thanks G/R
    313/377
    Trade Feedback
    16 (100%)
    Mentioned
    6 Post(s)
    Tagged
    7 Thread(s)
    simple HTML edit, I'll ping Zab

    Need a guild in the US? Visit murlocs.com

  4. #3
    Parog's Avatar Kitsune Da-O! M.L.G.
    CoreCoins Purchaser Authenticator enabled
    Reputation
    1527
    Join Date
    May 2007
    Posts
    3,174
    Thanks G/R
    540/265
    Trade Feedback
    19 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I mean, 50 is an odd number for a limit, but IMO that attribute shouldn't be used to enforce the actual password limit as it gives no feedback to the user and there is no actual validation done before submitting.

    Ideally you'd have either a client-side validation to save server resources, but since this one doesn't require a DB query, you could just add a check for it and give feedback to the user via the vBulletin standard error message, like you do on the very same form with the email.

    All in all, in scenarios where this would happen, you'd save the DB queries the user will have to do when doing the whole password reset procedure since they can't log in.
    Last edited by Parog; 09-25-2020 at 11:23 AM.
    What's a Parog?
    Looking for competitive Valorant team!

Similar Threads

  1. Hex-editing Paid Services to be unlucked (Retail)
    By Terrassen in forum WoW Memory Editing
    Replies: 2
    Last Post: 06-22-2013, 06:19 AM
  2. Replies: 3
    Last Post: 11-07-2012, 03:18 AM
All times are GMT -5. The time now is 04:16 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2021 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2021 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search