Open VetheonGames opened 2 months ago
odd, the limit elsewhere is 255
I tried a password like
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
which has 80 characters. And it works when login again several times.
So I think the root reason maybe not the length of the password.
There are some things to confirm:
odd, the limit elsewhere is 255
password would not be saved directly in DB, so the limitation of this field is not related to the real length of the password.
Please confirm whether the user is unable to login via the webUI or via git interaction (push/pull...)
The webUI would be ... ok and might point towards some password manager (built into chrome for instance) git ... it could be the credential's manager
BOTH should have prompted when there was a password change but there is always the possibility it didn't
I was the end user; I use Bitwarden as my password manager. I changed my password to a 128-char password generated by Bitwarden, saved it to Bitwarden, and copied it to Notepad to ensure I wasn't losing it. It let me onto the site after changing my password. I logged out and logged back in, and it denied my password. I tried password reset via email four times, We tried deleting and recreating my account twice and despite making sure I saved the password it refused to let me login with a password until I dropped the length to 64. One of the passwords tried was b7nwOFv8oX3styrbkwQOimrJI2iIu22ZrUn2ofXCBskDGPsn6PXZBj68FtO2Mv6Rikqv4TMKXnn5fa5tNRCUUS0fOpVPam5uEYmeRodH2RIW5mQSOzlvuY0E6e0PvJym
and it didn't work. But cutting it in half as the new password and it worked fine. (Not a password being used anymore just an example from the past)
Any word on what we can do to help investigate this? Apologies for my lack of response, I don't check Github often since switching all my stuff over to my private Gitea instance lol
Any word on what we can do to help investigate this? Apologies for my lack of response, I don't check Github often since switching all my stuff over to my private Gitea instance lol
good question... So. I too that "example" password from @Frerduro ( b7nwOFv8oX3styrbkwQOimrJI2iIu22ZrUn2ofXCBskDGPsn6PXZBj68FtO2Mv6Rikqv4TMKXnn5fa5tNRCUUS0fOpVPam5uEYmeRodH2RIW5mQSOzlvuY0E6e0PvJym ) and made a test user and when logged in 1st time changed the password to this example. it worked and I can login and logout.
This is with gitea 1.22.2 (gentoo, local compile)
You have a password manager in-use here so you need to determine whether this is gitea or the password manager or the browser...
Any word on what we can do to help investigate this? Apologies for my lack of response, I don't check Github often since switching all my stuff over to my private Gitea instance lol
good question... So. I too that "example" password from @Frerduro ( b7nwOFv8oX3styrbkwQOimrJI2iIu22ZrUn2ofXCBskDGPsn6PXZBj68FtO2Mv6Rikqv4TMKXnn5fa5tNRCUUS0fOpVPam5uEYmeRodH2RIW5mQSOzlvuY0E6e0PvJym ) and made a test user and when logged in 1st time changed the password to this example. it worked and I can login and logout.
This is with gitea 1.22.2 (gentoo, local compile)
You have a password manager in-use here so you need to determine whether this is gitea or the password manager or the browser...
Well the password manager is just what generated the password for us.
We copy pasted it from notepad, and he even tried manually entering it. If you can use it without issue, perhaps the issue is with my database setup or something?
I know I've had strange issues with my personal gitea instance not behaving normally for unknown nebulous reasons before.
I setup a 1.22 instance, and tested your password b7nwOFv8oX3styrbkwQOimrJI2iIu22ZrUn2ofXCBskDGPsn6PXZBj68FtO2Mv6Rikqv4TMKXnn5fa5tNRCUUS0fOpVPam5uEYmeRodH2RIW5mQSOzlvuY0E6e0PvJym
.
It does work. If you believe there is a problem which should be resolved, maybe a reproducible setup with detailed steps is needed. For example:
docker compose up
, and installIf and only if others could reproduce, the problem might be debugged.
We copy pasted it from notepad, and he even tried manually entering it. If you can use it without issue, perhaps the issue is with my database setup or something?
Maybe you could also check your network service, especially some firewalls and reverse proxy (security) settings.
If you don't use Bitwarden, it works? I also tried this password, it works when I input it manually. Maybe others also tried it without password manager, and I guess maybe it is related to Bitwarden.
Description
Hey everyone,
A user recently reported a strange error to me, where they could set a password of over 64 characters, and login one time, then it won't let them login again, stating they are using the wrong password.
It took us quite a bit of troubleshooting to narrow it down to the fact that it happens when the users password is longer than 64 characters.
If this is a limitation that's unable to be overcome, it would be nice to have a warning on the registration page that states that passwords cannot be over 64 characters, or just prevent passwords from being saved if they exceed that length.
Gitea Version
1.22.0 built with GNU Make 4.4.1, go1.22.3 : bindata, timetzdata, sqlite, sqlite_unlock_notify
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
No logs other than "invalid password for 'username'"
Screenshots
No response
Git Version
No response
Operating System
Arch Linux (Zen Kernel)
How are you running Gitea?
Inside the official Docker container
Database
MySQL/MariaDB