How *not* to do a password change page


We've all been faced with this screen, right? You haven't logged in to a website for a while, so it prompts you to change your password.

Screenshot of A Change Password field. It lists various restrictions - but nothing about a maximum length

sigh Annoying but probably necessary.

The problem was, every time I tried to change my password, it told me that my old password was invalid. The one that I'd just used to log in. I use the incredible LastPass Password Manager - so I knew I wasn't typing it incorrectly.

It took a few tries, but I finally figured out what was going wrong. When I'd set up the account, LastPass had generated a secure 32 character password. But the "old password" field had artificially restricted passwords to a maximum of 20 characters.

Screenshot of HTML source code showing that the input maxlength is set to 20-fs8

Well, that's easy enough to change! Crack open Firefox's Inspect Element tool, change the maxlength value, and submit again.

Screenshot of A Change Password field. An error message says ensure this value has at most 20 characters it has 32)-fs8

What utter cockwombles.

Can you see any mention of a maximum length in the password rules? Minimum, sure, but no max.

Naturally, this 20 character restriction isn't enforced on the login page.

Screenshot of HTML source showing now password length restrictions on login-fs8

Take a bow, "Willis Towers Watson", your web developers are actively making the world a worse place. I'd ring you up to complain, but naturally you're closed on a Sunday.

3 thoughts on “How *not* to do a password change page

  1. “Annoying but probably necessary.” How so? All the modern websites don’t make you type your old password to set a new one. Seems like a legacy technique.

    1. I think that it's a sensible security feature to ensure that someone knows the existing password before changing it. Prevents session hijacking attacks etc.

  2. I was quite interested in this as I had run into a similar problem myself on a couple of websites. I use a (personally generated) unique password for each site. On these particular sites the front page login area allow you to type a shorter (or in one case longer) password than is accepted on a separate login page on the same site. Hence if I arrive at the one page and use my password it states 'wrong password' and throws me to the 'other' (try again) login page, where exactly the same password is accepted. It took me quite a while to to realise that different web pages on the same site were implementing different password length checks & actually truncating my password). Of course, just as in your example, those rules were not declared either on the web page or in any error message.

What do you reckon?

%d bloggers like this: