Password edit maxlength isn't being validated properly menu

User Tag List

Results 1 to 4 of 4
  1. #1
    Parog's Avatar Kitsune Da-O! M.L.G. CoreCoins Purchaser Authenticator enabled
    Reputation
    1527
    Join Date
    May 2007
    Posts
    3,174
    Thanks G/R
    540/265
    Trade Feedback
    19 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Password edit maxlength isn't being validated properly

    I generate 64 char length passwords nowadays. I changed my password and couldn't log in and had to change it again. I did this twice before realizing the site restricts password size to 50 through the "maxlength" HTML attribute. ( https://www.ownedcore.com/forums/pro...o=editpassword )

    Since it's not actually being validated, I was able to edit it to make my password 64 chars long, the database accepted it and I was able to log in properly with the 64 char length password afterwards.

    Keep in mind this means 2 things:
    • Users have no feedback when they hit or exceed the character limit. Bad user experience.
    • The front end and back end validation isn't the same, which can lead to data corruption in some cases. -- I haven't tested how many characters the DB will accept, but it would be worth checking that it is being validated on that side as well.


    It's a frustrating user experience and anybody with a > 50 char password will have enough knowledge, when faced with a bug involving password or authentication, to question the credibility of the site.
    What's a Parog?
    Looking for competitive Valorant team!

    These ads disappear when you log in.

  2. Thanks ev0 (1 members gave Thanks to Parog for this useful post)
  3. #2
    ev0's Avatar Super Moderator murlocs.com

    CoreCoins Purchaser Authenticator enabled
    Reputation
    1850
    Join Date
    Jul 2012
    Posts
    2,751
    Thanks G/R
    313/377
    Trade Feedback
    16 (100%)
    Mentioned
    7 Post(s)
    Tagged
    7 Thread(s)
    simple HTML edit, I'll ping Zab

    Need a guild in the US? Visit murlocs.com

  4. #3
    Parog's Avatar Kitsune Da-O! M.L.G. CoreCoins Purchaser Authenticator enabled
    Reputation
    1527
    Join Date
    May 2007
    Posts
    3,174
    Thanks G/R
    540/265
    Trade Feedback
    19 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I mean, 50 is an odd number for a limit, but IMO that attribute shouldn't be used to enforce the actual password limit as it gives no feedback to the user and there is no actual validation done before submitting.

    Ideally you'd have either a client-side validation to save server resources, but since this one doesn't require a DB query, you could just add a check for it and give feedback to the user via the vBulletin standard error message, like you do on the very same form with the email.

    All in all, in scenarios where this would happen, you'd save the DB queries the user will have to do when doing the whole password reset procedure since they can't log in.
    Last edited by Parog; 09-25-2020 at 11:23 AM.
    What's a Parog?
    Looking for competitive Valorant team!

  5. #4
    stevenDS's Avatar Member
    Reputation
    1
    Join Date
    Jun 2021
    Posts
    1
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Parog View Post
    I generate 64 char length passwords nowadays. I changed my password and couldn't log in and had to change it again. I did this twice before realizing the site restricts password size to 50 through the "maxlength" HTML attribute. ( https://www.ownedcore.com/forums/pro...o=editpassword )

    Since it's not actually being validated, I was able to edit it to make my password 64 chars long, the database accepted it and I was able to log in properly with the 64 char length password afterwards.

    Keep in mind this means 2 things:
    • Users have no feedback when they hit or exceed the character limit. Bad user experience.
    • The front end and back end validation isn't the same, which can lead to data corruption in some cases. -- I haven't tested how many characters the DB will accept, but it would be worth checking that it is being validated on that side as well.Account Suspended


    It's a frustrating user experience and anybody with a > 50 char password will have enough knowledge, when faced with a bug involving password or authentication, to question the credibility of the site.
    I have also tried to change my password but after generating the password it's taking too long to validate. Tried for more than thrice but the result doesn't change. Account Suspended
    Last edited by stevenDS; 4 Weeks Ago at 02:08 PM.

Similar Threads

  1. Hex-editing Paid Services to be unlucked (Retail)
    By Terrassen in forum WoW Memory Editing
    Replies: 2
    Last Post: 06-22-2013, 06:19 AM
  2. Replies: 3
    Last Post: 11-07-2012, 03:18 AM
All times are GMT -5. The time now is 08:29 PM. Powered by vBulletin® Version 4.2.3
Copyright © 2021 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2021 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search