Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 238161 - Gentoo bugzilla does not accept long passwords
Summary: Gentoo bugzilla does not accept long passwords
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Infrastructure
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Infrastructure
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-09-20 03:29 UTC by Rob M.
Modified: 2008-10-02 05:19 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Rob M. 2008-09-20 03:29:05 UTC 
using passwords of 20 characters (the kind of password easy to generate with a password manager) or more by using the "forgot my password" option and updating your password for a bugs.gentoo.org account causes an error message to be generated when you try to use the account with the password.

This bug is of low severity and isn't currently security related since shorter passwords provide sufficient security for authenticating to a website at the current time, but this is kind of nasty and ugly. Even if longer passwords aren't allowed, an error message should be displayed if there's a intentional limit on longer passwords and someone tries to use one for their account.

it may happen with passwords smaller than 20 characters. I tried several password lengths between 20 and 40 characters.

Reproducible: Always

Steps to Reproduce:
1. Click "Forgot My Password" on bugs.gentoo.org, enter email address. 
2. Receive email with link to change password
3. change password using 20+ character password, entered from password manager
4. try to login with that email and password combination, password is from password manager.

Actual Results:  
get big red error message box after authentication saying that user name or password is invalid.

Expected Results:  
either accepted the long password, or generated an error on Step 3 telling me my password was too long.

doesn't seem to be a "used the wrong character in the password" problem, but strictly based on length. some of the longer passwords were used to avoid using special characters in case that was an issue.
Comment 1 Christophe LEFEBVRE 2008-10-01 18:29:37 UTC 
I have also a problem with gentoo bugzilla. I have several times try to change my email address in my prefs and I never received a mail on my new email address... I don't know if it is normal, or if it is because I have number and a "point" in my new email address : clefebvre.62 [\\AT//] free.fr
Maybe, I have to open a new bug for this ? Maybe, you prefer to treat these 2 bugs in the same time... I don't know :-) Thanks by advance.
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-10-02 05:18:43 UTC 
christophe.lefebvre@ifrance.com: blame your ISP.
mail/smtp.log.1:Oct  1 23:08:40 woodpecker postfix/qmgr[20343]: 66D4665082: from=<bugzilla-admin-daemon@gentoo.org>, size=1158, nrcpt=1 (queue active)
mail/smtp.log.1:Oct  1 23:08:41 woodpecker postfix/smtp[32590]: 66D4665082: host mx1.free.fr[212.27.48.7] said: 421 Too many errors from your IP (140.211.166.183), please visit http://postmaster.free.fr/ (in reply to RCPT TO command)
mail/smtp.log.1:Oct  1 23:08:42 woodpecker postfix/smtp[32590]: 66D4665082: to=<clefebvre.62@free.fr>, relay=mx1.free.fr[212.27.48.6], delay=17111, status=deferred (host mx1.free.fr[212.27.48.6] said: 421 Too many errors from your IP (140.211.166.183), please visit http://postmaster.free.fr/ (in reply to RCPT TO command))
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-10-02 05:19:19 UTC 
tommy: length limit changed to 40, since we are using a crypt function that supports long passwords safely.