search

sovity / authority-portal

Allows a Dataspace Authority to manage its participants.
https://sovity.de/en/build-entire-data-space-en/
Apache License 2.0
4 stars 0 forks source link

Inconsistent Character Limit Implementation #17

Closed jridderbusch closed 6 months ago

jridderbusch commented 6 months ago

Description - What happened? *

During the registration process on the "Register Organization - User Details", Login page etc, it has been observed that not all fields, including the "Password" and "Confirm Password" fields, enforce a character limit. This inconsistency in the application of character limits across form fields could potentially lead to data integrity issues and affect the user experience by allowing overly long inputs in certain critical fields.

Expected Behavior *

All fields, especially sensitive ones like "Password" and "Confirm Password," should have a clearly defined and enforced character limit to ensure data consistency, security, and a streamlined user experience.

Observed Behavior *

Not all fields on the "Register Organization - User Details" page enforce a character limit, specifically noted in the "Password" and "Confirm Password" fields, allowing users to input excessively long information.

Steps to Reproduce

  1. Navigate to the Authority Portal.
  2. Go to the "Register Organization" section and proceed to the "User Details" page.
  3. Attempt to input text into various fields, including "Password" and "Confirm Password", exceeding commonly accepted limits (e.g., more than 20 characters).
  4. Observe that some fields do not prevent the user from exceeding a reasonable character limit.

Context Information

This issue is assigned a high priority due to its potential impact on both security and user experience. Without consistent enforcement of character limits, the application may be vulnerable to various security risks associated with handling excessively long inputs. Additionally, this oversight could lead to a confusing user experience, as users may not receive clear feedback on acceptable input lengths for each field. Addressing this issue promptly will enhance the overall security and usability of the registration process.

Relevant log output

No response

Screenshots

No response

illfixit commented 6 months ago

which limit would be ok from BE POV?

kamilczaja commented 6 months ago

According to this source, anything lower than 128 is considered an unnecessary security risk.

Longer passwords provide a greater combination of characters and consequently make it more difficult for an attacker to guess.

Minimum length of the passwords should be enforced by the application. Passwords shorter than 10 characters are considered to be weak ([1]). While minimum length enforcement may cause problems with memorizing passwords among some users, applications should encourage them to set passphrases (sentences or combination of words) that can be much longer than typical passwords and yet much easier to remember.

Maximum password length should not be set too low, as it will prevent users from creating passphrases. Typical maximum length is 128 characters. Passphrases shorter than 20 characters are usually considered weak if they only consist of lower case Latin characters. Every character counts!!

Make sure that every character the user types in is actually included in the password. We've seen systems that truncate the password at a length shorter than what the user provided (e.g., truncated at 15 characters when they entered 20). This is usually handled by setting the length of ALL password input fields to be exactly the same length as the maximum length password. This is particularly important if your max password length is short, like 20-30 characters.