Password: Very long password score is too low (requirements not clear)

[fodorgeza]

Hello,

if I have a very long password, I cannot modify it. Let's test with this one: ThisIsAprettyGoodPassword13939

Geza

[alecpl]

If you have problems with your email account (e.g. cannot log in, emails got lost, etc.) or if you have questions how to configure your Outlook or mobile phone to get email, this isn't the right place to ask. Roundcube is not a service but free software which somebody installed for you.

Please contact your internet hosting provider or IT responsible instead. If you don't know who this might be, please review your bills and find out who you're paying for email and webhosting services.

[fodorgeza]

Well, maybe I wasn't precise enough. We've been providing email service for almost 25 years, so we've seen a lot. Our users reported the above, slightly inaccurately described error. Now let me elaborate a bit more.

Steps to reproduce the error:

$config['password_driver'] = "sql"; $config['password_minimum_length'] = 10; $config['password_minimum_score'] = 2; $config['password_dovecotpw_with_method'] = true; $config['password_hash_algorithm'] = 'SSHA512'; $config['password_blowfish_cost'] = 12;

I got a password, let's say: wHsWnts381. When I try to alter it, let's say to this one: ThisIsAprettyGoodPassword13939, RoundCube answers, as “passwordtooweak”. That is a question.

There is one more interesting thing. If we let the user alter his password wia a special page - e.g. in the forgot password flow - we can store there the mentioned long password, and it will work.

[alecpl]

If you set

$config['password_strength_driver'] = null; // the default
$config['password_minimum_score'] = 2;

password has to have at least one digit and at least one character that is not a digit nor a letter (a-z).

I think that with minimum_length=10 you can lover the minimum_score to 1.

[fodorgeza]

Thank you.

The password "ThisIsAprettyGoodPassword13939" with score 2 is weak and will be accepted only with score 1. however, I think, it is much more stronger than "wHsWnts381" which is accepted with score 2. See also here a short discussion: https://forum.iredmail.org/topic19231-cannot-change-default-password-in-roundcube.html

[alecpl]

Well, I think the problem here is that we don't tell the user what is required. I.e. "password must include at least one digit and at least one character that is not a digit nor a letter" should appear in the password form.

We could also improve the scoring mechanism. Initially it was designed to be compatible with old password_require_nonalpha setting. We could bump the score on a very long pussword (>20 characters?), but we should be careful with the wording regarding password requirements suggested above.