Photo of Terence Eden. He has a beard and is smiling.

How *not* to do a password change page

· 3 comments · 200 words · read ~401 times.

We've all been faced with this screen, right? You haven't logged in to a website for a while, so it prompts you to change your password.

Screenshot of A Change Password field. It lists various restrictions - but nothing about a maximum length

sigh Annoying but probably necessary.

The problem was, every time I tried to change my password, it told me that my old password was invalid. The one that I'd just used to log in. I use the incredible LastPass Password Manager - so I knew I wasn't typing it incorrectly.

It took a few tries, but I finally figured out what was going wrong. When I'd set up the account, LastPass had generated a secure 32 character password. But the "old password" field had artificially restricted passwords to a maximum of 20 characters.

Screenshot of HTML source code showing that the input maxlength is set to 20-fs8

Well, that's easy enough to change! Crack open Firefox's Inspect Element tool, change the maxlength value, and submit again.

Screenshot of A Change Password field. An error message says ensure this value has at most 20 characters it has 32)-fs8

What utter cockwombles.

Can you see any mention of a maximum length in the password rules? Minimum, sure, but no max.

Naturally, this 20 character restriction isn't enforced on the login page.

Screenshot of HTML source showing now password length restrictions on login-fs8

Take a bow, "Willis Towers Watson", your web developers are actively making the world a worse place. I'd ring you up to complain, but naturally you're closed on a Sunday.

Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

3 thoughts on “How *not* to do a password change page”

  1. says:

    “Annoying but probably necessary.” How so? All the modern websites don’t make you type your old password to set a new one. Seems like a legacy technique.
    Reply

    1. Terence Eden says:

      I think that it's a sensible security feature to ensure that someone knows the existing password before changing it. Prevents session hijacking attacks etc.
      Reply

  2. MikeR says:

    I was quite interested in this as I had run into a similar problem myself on a couple of websites. I use a (personally generated) unique password for each site. On these particular sites the front page login area allow you to type a shorter (or in one case longer) password than is accepted on a separate login page on the same site. Hence if I arrive at the one page and use my password it states 'wrong password' and throws me to the 'other' (try again) login page, where exactly the same password is accepted. It took me quite a while to to realise that different web pages on the same site were implementing different password length checks & actually truncating my password). Of course, just as in your example, those rules were not declared either on the web page or in any error message.
    Reply

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">