Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Missing user password requirements #5082

Open
2 tasks done
zeorin opened this issue Jun 22, 2024 · 1 comment
Open
2 tasks done

[BUG] Missing user password requirements #5082

zeorin opened this issue Jun 22, 2024 · 1 comment
Labels
C-bug Category: Bug S-awaiting-triage Status: New issues that have not been assessed yet

Comments

@zeorin
Copy link

zeorin commented Jun 22, 2024

Bug Description

Logging in to a new account and entering a password like this:

1=mh>;e#ps0;/iHO4,,u:s.oo^m'}u.};xU=,UX,(m{eI+(7-9taEg3rb)!0R.m/$#rN< ZdTuX[4b;YYa827JN`E:UIB]@-`}Tbrv`Z,^PG:8!aXNekK>9`gBu2b$A&

(I use pass, and this is a 128 character password generated by it).

It is not clear in what way such a password is not valid.

I have noticed that when typing a password, it explains if the password is too short, or doesn't contain numbers or special characters. Length is a good requirement, but special characters, etc. are not: https://pages.nist.gov/800-63-3/

Despite being well-intentioned, in practice such requirements reduce overall password security.

Expected Behavior

It should accept my password. There is no reason not to accept it. Passwords of length up to 1024 are generally reasonable to accept (limiting the network request payload size only. Once hashed they're all the same size anyway.

Actual Behavior

When I try to use this to set a password:

image

The server responded with a 400:

{
	"error": {
		"type": "invalid_request",
		"message": "Invalid Password",
		"code": "UR_09"
	}
}

Steps To Reproduce

Provide an unambiguous set of steps to reproduce this bug. Include code or configuration to reproduce, if relevant.

  1. Go to reset password
  2. Submit the form with my example password

Context For The Bug

I was trying to set a password so I could explore hyperswitch's sandbox

Environment

This is on current hyperswitch.io

Have you spent some time checking if this bug has been raised before?

  • I checked and didn't find a similar issue

Have you read the Contributing Guidelines?

Are you willing to submit a PR?

No, I don't have time to work on this right now
@zeorin zeorin added C-bug Category: Bug S-awaiting-triage Status: New issues that have not been assessed yet labels Jun 22, 2024
@ThisIsMani
Copy link
Contributor

In our application, the maximum size of a password can be 70 characters. That's why your password is invalid.

We didn't think this case would come where users trying to use a password that is more than 70 characters long. So, may be because of that, this error was not handled properly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C-bug Category: Bug S-awaiting-triage Status: New issues that have not been assessed yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zeorin @ThisIsMani