MobileRead Forums - View Single Post - Password rules not disclosed

Andy2No · 03-05-2019, 10:52 AM

Having not used the forum in a few years, I was told I'd entered the "wrong" username or password - I'm fairly sure I hadn't, because I wrote it down, but I'm used to being told that.

The problem is, when changing the password, after having to declare I'd "forgotten" mine, the forum engine accepted a new password from me, which I then couldn't log in with - so I had to say I'd "forgotten" it again - I definitely hadn't. I wrote it down.

I've seen this before; your forum apparently has strict rules for the sort of password it accepts, but it doesn't say what those rules are, when changing the password, and it accepts passwords which break those rules, as the new password. Of course, it's not possible to log in with a password that breaks the rules...

It remains to be seen whether my latest new password is going to work next time - because I still don't know the rules.

How to reproduce this:

Click the "Forgot password" link, wait for the email, click the link in that email, wait for the next one then log in with those details. Since that password has already been compromised by being visible to anyone capable of seeing your emails, you now need to change it - go to the User Control Panel "Edit Password & Email" page to do that.

Now enter a new password. I tried seven characters, some of which were digits, one of which was "special" - an @ character. I was allowed to set that, and also wrote it down.

Now log out, or wait to be logged out, and try logging in.

When I did that, I was told I had entered a wrong username or password. At no point was I told what the rules were for an acceptable password - and I suspect the user CP page to change it would probably accept anything I typed. However, only passwords matching the rules will work - whatever those rules are.

03-05-2019, 10:52 AM	#1
Andy2No Junior Member Posts: 7 Karma: 10 Join Date: Jul 2014 Device: Kobo Mini	Password rules not disclosed - had to reset mine twice, so far today Having not used the forum in a few years, I was told I'd entered the "wrong" username or password - I'm fairly sure I hadn't, because I wrote it down, but I'm used to being told that. The problem is, when changing the password, after having to declare I'd "forgotten" mine, the forum engine accepted a new password from me, which I then couldn't log in with - so I had to say I'd "forgotten" it again - I definitely hadn't. I wrote it down. I've seen this before; your forum apparently has strict rules for the sort of password it accepts, but it doesn't say what those rules are, when changing the password, and it accepts passwords which break those rules, as the new password. Of course, it's not possible to log in with a password that breaks the rules... It remains to be seen whether my latest new password is going to work next time - because I still don't know the rules. How to reproduce this: Click the "Forgot password" link, wait for the email, click the link in that email, wait for the next one then log in with those details. Since that password has already been compromised by being visible to anyone capable of seeing your emails, you now need to change it - go to the User Control Panel "Edit Password & Email" page to do that. Now enter a new password. I tried seven characters, some of which were digits, one of which was "special" - an @ character. I was allowed to set that, and also wrote it down. Now log out, or wait to be logged out, and try logging in. When I did that, I was told I had entered a wrong username or password. At no point was I told what the rules were for an acceptable password - and I suspect the user CP page to change it would probably accept anything I typed. However, only passwords matching the rules will work - whatever those rules are.