View Issue Details

IDProjectCategoryView StatusLast Update
12427Feature requests[All Projects] User / Groups / Rolespublic2019-08-27 11:18
Reporterblocka Assigned Toc_schmitz  
PrioritynoneSeverityfeature 
Status closedResolutionwon't fix 
Product Version 
Target VersionFixed in Version 
Summary12427: Passwords allow for preceeding and trailing spaces
Description

Not really a bug, but in 2.65.0 Build 170502 (and the latest version/previous versions as far as I can tell), if I manually create a user password, and I accidentally enter a space before or after the password, the password is not trimmed before being inserted into the database. Nor are passwords trimmed at the login page.

Seems to me to be a simple fix to wrap trim around password variable before hashing at login.php and User.php and would be a good practice feature as I'm sure sometimes, like me, one copies and pastes passwords and accidentally the copy picks up a space character.

TagsNo tags attached.

Relationships

related to 14049 closedc_schmitz Feature requests Don't send plain text passwords through mail 
related to 15190 assignedcdorin Bug reports Assigned administration user password is generated randomly, but not time-limited and user is not required to change it 

Activities

user14106

2017-06-06 18:29

  ~43833

I would say it's not an issue.
Try googling it a bit. It seems to be a good practice to not do it.

DenisChenu

DenisChenu

2019-03-12 15:18

developer   ~50922

In my opinion : we must FORCE white space inside a password ;)

blocka

blocka

2019-03-12 15:21

reporter   ~50923

Now I see the light of this -- yes, spaces should be allowed (although maybe a warning should be displayed that the password contains spaces)... I just cases where if one cuts and pastes a password, a space gets added and people don't always realize that.

DenisChenu

DenisChenu

2019-03-12 15:57

developer   ~50927

Yes : showing an information about surrounded whitespace is a good idea :) +1

blocka

blocka

2019-03-12 16:29

reporter   ~50928

HOWEVER, a big problem is that by default the system sends the password on a password reset request as open text in email... That's not so good.

I know this can be disabled by setting this in config.php (which prevents sending password at time of account creation, and removes the "Forgot your password?" question on the login page:

'display_user_password_in_email' => false

I notice with this set to false, that when I create a user account, the system message on the create user dialog still indicates that the password will be sent to the user via email, even though it won't be: I recommend that message should instead indicate the password WILL NOT be sent if config setting is 'false'.

While obviously a user with permissions to create/edit users can reset user passwords, there are scenarios whereby an organization policy states that end users should be the only ones who know their passwords.

With 'display_user_password_in_email' => false, the user has no way to reset their password. This could be resolved with a single user password reset link instead of sending passwords in emails. Some of this logic likely already exists, since there is the config setting for use_one_time_passwords (but it is designed for external systems that create accounts in LS -- maybe this can be extended to the core system...

Or maybe there are other great ways to prevent passwords being sent by email, but still allow users to request password resets (like a password reset link -- instead of sending the password in the email).

And on top of all that, if 2FA using Google Authenticator was a feature that could be enabled on all user accounts, this would give end-users the option to apply an additional layer of protection on their user accounts.

DenisChenu

DenisChenu

2019-03-12 17:40

developer   ~50930

The real fix is :

  • Sending a temporary link with one time password to the email
  • When user open this link : redirect to a page to set his password.

:)

blocka

blocka

2019-03-12 18:05

reporter   ~50934

Yes, this would be a good approach to start with.
Right now though, I don't believe this can be natively done in LS right? I can set:
'use_one_time_passwords' => true

But I still get the standard login email...

Any thoughts what would it take to integrate the link with onetime password into LS?

DenisChenu

DenisChenu

2019-03-13 08:00

developer   ~50937

One day work (maybe more), and only in 4.X

Issue History

Date Modified Username Field Change
2017-05-25 15:38 blocka New Issue
2017-06-06 18:29 user14106 Note Added: 43833
2019-03-12 15:18 DenisChenu Note Added: 50922
2019-03-12 15:21 blocka Note Added: 50923
2019-03-12 15:57 DenisChenu Note Added: 50927
2019-03-12 16:29 blocka Note Added: 50928
2019-03-12 17:39 DenisChenu Relationship added related to 14049
2019-03-12 17:40 DenisChenu Note Added: 50930
2019-03-12 18:05 blocka Note Added: 50934
2019-03-13 08:00 DenisChenu Note Added: 50937
2019-08-27 11:17 c_schmitz Assigned To => c_schmitz
2019-08-27 11:17 c_schmitz Status new => closed
2019-08-27 11:17 c_schmitz Resolution open => won't fix
2019-08-27 11:18 c_schmitz Relationship added related to 15190
2019-11-01 17:26 c_schmitz Category User/User groups => User / Groups / Roles