How *not* to do a password change page
By @edent
· HTML idiots password security usability · 3 comments · 200 words · read ~391 times.
We've all been faced with this screen, right? You haven't logged in to a website for a while, so it prompts you to change your password.
sigh Annoying but probably necessary.
The problem was, every time I tried to change my password, it told me that my old password was invalid. The one that I'd just used to log in. I use the incredible LastPass Password Manager - so I knew I wasn't typing it incorrectly.
It took a few tries, but I finally figured out what was going wrong. When I'd set up the account, LastPass had generated a secure 32 character password. But the "old password" field had artificially restricted passwords to a maximum of 20 characters.
Well, that's easy enough to change! Crack open Firefox's Inspect Element tool, change the maxlength value, and submit again.
What utter cockwombles.
Can you see any mention of a maximum length in the password rules? Minimum, sure, but no max.
Naturally, this 20 character restriction isn't enforced on the login page.
Take a bow, "Willis Towers Watson", your web developers are actively making the world a worse place. I'd ring you up to complain, but naturally you're closed on a Sunday.
Mastodon
Twitter
Facebook
LinkedIn
Reddit
HackerNews
Lobsters
Pocket
WhatsApp
Telegram
“Annoying but probably necessary.” How so? All the modern websites don’t make you type your old password to set a new one. Seems like a legacy technique.
I think that it's a sensible security feature to ensure that someone knows the existing password before changing it. Prevents session hijacking attacks etc.
I was quite interested in this as I had run into a similar problem myself on a couple of websites. I use a (personally generated) unique password for each site. On these particular sites the front page login area allow you to type a shorter (or in one case longer) password than is accepted on a separate login page on the same site. Hence if I arrive at the one page and use my password it states 'wrong password' and throws me to the 'other' (try again) login page, where exactly the same password is accepted. It took me quite a while to to realise that different web pages on the same site were implementing different password length checks & actually truncating my password). Of course, just as in your example, those rules were not declared either on the web page or in any error message.