Loris: [docs:UserAccts] Password rules as displayed in the front end for users need updating

Created on 17 Aug 2020  路  12Comments  路  Source: aces/Loris

Passwords are required to be significantly longer since the 23 release, and the Password rules displayed in User Accounts for the (Admin)user haven't been updated.

The poor admin who tries to follow the rules printed in User Accounts Add/Edit User page will not successfully be able to save a password.

Haven't checked but I would also suspect the password rules printed in the Reset Password feature would need an update too.

Bug Documentation

Most helpful comment

Haowei i think this could be a nice easy bug in the text we show front-end users.

@laemtl can you guide him through the process?

First steps in looking into this bug will include:

  • [ ] Find the recent PRs that modified the password rules, but forgot to actually update what we say the password rules are in the front-end.
  • [ ] Dig a little into those PRs, and test yourself what the current password rules actually are
  • [ ] Update the password rules we display in the User Accounts module, keeping in mind they should be simple and clear for the user/reader
  • [ ] Triple-check (with our help) for any other places in LORIS where password rules are (or maybe should?) be printed -- e.g. User/My Preferences (where users reset their own passwords), or the "Forgot my password" feature off the Login page.

Then : issue a Pull Request (PR) to the main branch with these changes, and ask @laemtl to Review and also Test your changes.

All 12 comments

Haowei i think this could be a nice easy bug in the text we show front-end users.

@laemtl can you guide him through the process?

First steps in looking into this bug will include:

  • [ ] Find the recent PRs that modified the password rules, but forgot to actually update what we say the password rules are in the front-end.
  • [ ] Dig a little into those PRs, and test yourself what the current password rules actually are
  • [ ] Update the password rules we display in the User Accounts module, keeping in mind they should be simple and clear for the user/reader
  • [ ] Triple-check (with our help) for any other places in LORIS where password rules are (or maybe should?) be printed -- e.g. User/My Preferences (where users reset their own passwords), or the "Forgot my password" feature off the Login page.

Then : issue a Pull Request (PR) to the main branch with these changes, and ask @laemtl to Review and also Test your changes.

Hi @christinerogers and @laemtl,
Based on your instructions, I looked into the password rules.
The recent PRs relating to password rules changes (for Release 23.0.0) are: #6705, #6615, #6611, #6510, #6341, #6330, #5974, and #5958. However, I did not find any PRs relating to password rules changes for Release 23.0.1, 23.0.2, and 23.0.3 so far.
The recent PR that modified the password rules is #5974.
The classes that mentioned the password rules (for LORIS Frontend) are: form_passwordexpiry.tpl, form_my_preferences.tpl, and form_edit_user.tpl.
Based on #5974 and my personal experience add/edit the password in LORIS, I think that the current password rules listed in Frontend generally explain all the password rules. However, I found that the current LORIS password rules did not mention the use of Zxcvbn library, should I improve and mention this?
Thank you very much!

If the error message is self-explanatory I think it's fine.

@laemtl I think that this issue could be closed?

Hi Haowei, to clarify --
What is the new length of password that must be entered when changing a password in User Accounts?
Does the password-rules instructions to users as shown in the page accurately reflect this?

That's what this issue is asking to resolve.

@christinerogers I tried to add a new user and the minimum length of password was 8. I think that the current password rules to users generally reflect the actual password rules.

Hi @haoweiqiu -- you think or you're sure? if you're sure, we can close this issue.

@christinerogers I confirm.

@christinerogers I think I'm sure.

closing this issue.

@christinerogers, @haoweiqiu After further investigation, zxcvbn can reject passwords of length 8 or longer if their score is not at least 3. Fewer rejections happen with passwords of length 10. What about increasing the suggested length to 10? The phrasing can emphasize that it's a recommendation and that a password can still be rejected.

Was this page helpful?
0 / 5 - 0 ratings