Logging in with long passwords does not work

[ShizuKoto]

Description
When trying to login using a long password >13 chars the app just shows "wrong password".

How to Reproduce
Steps to reproduce the behavior:

1. Set your password on any instance to a64 or 128 char long password (e.g. g?~zNvX`W-[=T8.4gb+XsCQcIK+jDj}-h4]P?${nYT[1K6X.ANNs9/1{O"W5%2AP)
2. No don't worry that's not my password
3. try to login thru the app
4. App shows "password wrong"
5. Exact same password works on the lemmy instance web ui and jerboa directly
6. Set your password to 13 chars and try to login
7. works

Expected Behavior
The login should be successful

Device & App Version:

• Device: Samsung Galaxy s21 Ultra
• OS: Android 13

[MrAntonS]

Hmm, i have a 28 symbol long password and don't seem to have an issue, let me try this password to check

[MrAntonS]

Hmm, i have a 28 symbol long password and don't seem to have an issue, let me try this password to check

Had no issue signing in on check account with this exact password

[ShizuKoto]

Weird.. might have something to do with my instance? lemmy.world

[ShizuKoto]

I just tried deleting the app and reinstalling it. Tried 3 different instances with my 128 char long passwords. Same issue. Maybe try 128 chars?

[MrAntonS]

Do they have spaces in the front by any chance?

[ShizuKoto]

nah my password manager does not generate spaces in my passwords.

[MrAntonS]

Even weirder

[ShizuKoto]

Please don't tell me 128chars work for you? D:

[MrAntonS]

Let me check that generated 128 with bitdefender just now

[MrAntonS]

Works on lemmy.fmhy.ml. I'll check lemmy.world XD

[MrAntonS]

Reinstalled app completely to version 0.2.1+5 just in case I accidentally fixed the issue, but it works fine

[ShizuKoto]

So the only common link here is my password manager. I use KeePass and never had such issues.. Thank you for checking it out tho!

[hjiangsu]

Hmm, interesting - I have not yet tested this but I dont see a reason why 128 char password shouldn't work.

One guess is that maybe it could be a special character within the password that's causing the issues.. but if you're able to log in through the web ui, then that shouldn't be it

[ShizuKoto]

So I tried using my password manager to fill out the password automatically. Using a Password like "Abcdefgh9856!" works fine. Then I tried to apply a 128char long password with only lower/uppercase characters and numbers. Now filling the password does not work anymore. App shows "password wrong".

What a weird case..

[MrAntonS]

That's weird especially because bitdefender generates 128chr password with all parameters

And still worked fine

[hjiangsu]

I guess I will try myself as well and see if maybe I can recreate the issue

[hjiangsu]

@ShizuKoto For the instances that you've tried, could you let me know what they are if possible? Also would be good to know what version they're running on (that could be an underlying cause as well)

[ShizuKoto]

So this is the password I just used on lemmy.world: ZKKMRsSzLiC3Syf3L3DbZFFYKx3XCmttU7JbC5rhEYnE2MHveaxwQKXPKwsZXMF4p4oqessMtFq5bU2XMmwwmDsYHjna3pkWEbiC9WWZ3KmyxX2Qgj9uHFxFF4jSyDPj

(I changed it back to my previous password ofc) Also I only use a username no mail on my instance in case that's in any case relevant?

@hjiangsu I tried it on lemmy.world, lemmynsfw.com, reddthat.com lemmy.world: 0.17.4 lemmynsfw.com: 0.17.4-nsfwpatch reddthat.com: 0.17.4

[ShizuKoto]

I've confirmed there were no spaces neither in front nor in the end. Not in the pw nor in the username.

[ShizuKoto]

[MrAntonS]

Could be the way client sends query. You know like with sql injections. Some symbol causes the corruption of password

[hjiangsu]

Okay, so I just tried it with lemmy.ml with 128 char password using BitWarden to generate it and it seems to have logged in properly.

Although, I did run it with a development build of the app, not v0.2.1+5. I'll try running it with a clean install of v0.2.1+5 and see if I can reproduce it

[ShizuKoto]

Could be the way client sends query. You know like with sql injections. Some symbol causes the corruption of password

I would agree with you but I already tried a pw with alphanumeric characters only. It does seem to be somehow connected to the length

[MrAntonS]

Can you try with this password? AJ7TvkZ3J#MXbnYxEse8kh8rYv9qTWr9tL7!e7EB!Ti6vMadjxxNpu@atPEw

[hjiangsu]

Although, I did run it with a development build of the app, not v0.2.1+5. I'll try running it with a clean install of v0.2.1+5 and see if I can reproduce it

Just tried it again with v0.2.1+5 on iPhone running the app through TestFlight. I was still able to log in to my account so unfortunately, I havent been able to reproduce it yet

[ShizuKoto]

AJ7TvkZ3J#MXbnYxEse8kh8rYv9qTWr9tL7!e7EB!Ti6vMadjxxNpu@atPEw

this password works. Though I changed it a little just to be on the safe side ;D

I didn't do it thru the pw manager tho, I actually just copy/pasted it.

[hjiangsu]

Also I only use a username no mail on my instance in case that's in any case relevant?

I dont think that's what's causing it since I also use just a username on some instances

[MrAntonS]

I think it might be just an issue with your password manager

[ShizuKoto]

I think it might be just an issue with your password manager

It's just so weird that it works fine even in Jerboa but not in Thunder.

[MrAntonS]

Have you tried coping your password to link a note and double checking if it's correct?

[MrAntonS]

I think it might be just an issue with your password manager

It's just so weird that it works fine even in Jerboa but not in Thunder.

Yeah I think password autofill support is a little raw right now

[ShizuKoto]

Have you tried coping your password to link a note and double checking if it's correct?

Just did.. I even tried to copy it from my text messenger. I don't know.. seems like passwords generated thru KeePass don't wanna work.

[hjiangsu]

Hmm, there's nothing in the implementation that I know of which could be causing an issue with the input fields/autofill unless its a bug thats occurring within Flutter itself:

https://github.com/hjiangsu/thunder/blob/1a447594d3bd611357fef45491df843df2f67086/lib/account/pages/login_page.dart#L85-L126

[ShizuKoto]

I generated a 32char long password and this one works fine xD what the hell..

[ShizuKoto]

shorter passwords seem to work fine. Tried three different passwords across all three instances and all worked like a charm.

[hjiangsu]

Thats very strange LOL - I have no idea what could be causing this...

[ShizuKoto]

Yea.. especially since you just route the password thru to flutter and it prolly does the same. I'm pretty baffled on what might be the issue here. But imma stick to shorter passwords for now then xD Thanks for all the debugging!

[hjiangsu]

Wait, one more question - you don't happen to have auto-correct enabled right? This is a stretch, but what if auto-correct is enabled, and causes the password to be corrected to another word (assuming the auto-correct sees something that it thinks it can correct)

[ShizuKoto]

Nah I despise auto-correct. I'm your paranoid everyday dev.

[hjiangsu]

Dang, okay nevermind then - I thought maybe I caught on to something. Regardless, I'll just strictly set autocorrect to false for the username/pass/instance fields

[duncanam]

Also running into this problem. Can't log in to an instance with a longerish password, Jerboa handles this fine.

[ShizuKoto]

Also running into this problem. Can't log in to an instance with a longerish password, Jerboa handles this fine.

Bro, I literally thought is was just me.. Thank you 😭

[hjiangsu]

Hmm okay its not just a one-off then

@duncanam Are you using password autofill as well? or manually typing it in?

[hjiangsu]

I'll re-open this issue since it seems important!

[duncanam]

Hmm okay its not just a one-off then

@duncanam Are you using password autofill as well? or manually typing it in?

I use KeePassDX, which I'm not sure how it works, but traditionally the desktop version of keepass will "autotype" for you for security reasons such that your clipboard is not involved. I do not get any autofill dialogue. KeePassDX ships its own keyboard that will inject your password into the field when you tell it to, so presumably it is also doing the same thing.

[ShizuKoto]

Hmm okay its not just a one-off then @duncanam Are you using password autofill as well? or manually typing it in?

I use KeePassXC, which I'm not sure how it works, but traditionally the desktop version of keepass will "autotype" for you for security reasons such that your clipboard is not involved. I do not get any autofill dialogue. KeepassXC ships its own keyboard that will inject your password into the field when you tell it to, so presumably it is also doing the same thing.

While I also use KeePass I use KeePassDX however. Also I always copy passwords from the app directly as Autoinput usually doesn't work for me. So usually my flow looks like this: Entering Username, switching to KeePassDX, searching and copying the password, switching back to the app, long press the password field, select "paste".

[hjiangsu]

Hmm, interesting

I might get KeePassDX to see if I can recreate this. Is it only available on Android? or is there an iOS version as well?

[duncanam]

Hmm okay its not just a one-off then @duncanam Are you using password autofill as well? or manually typing it in?

I use KeePassXC, which I'm not sure how it works, but traditionally the desktop version of keepass will "autotype" for you for security reasons such that your clipboard is not involved. I do not get any autofill dialogue. KeepassXC ships its own keyboard that will inject your password into the field when you tell it to, so presumably it is also doing the same thing.

While I also use KeePass I use KeePassDX however. Also I always copy passwords from the app directly as Autoinput usually doesn't work for me. So usually my flow looks like this: Entering Username, switching to KeePassDX, searching and copying the password, switching back to the app, long press the password field, select "paste".

I also use KeepassDX. Typo in original post. But yeah, I don't copy passwords, I use the keypassdx keyboard shipped with the app that injects the password such that the system clipboard does not record the password.

[ShizuKoto]

Hmm, interesting

I might get KeePassDX to see if I can recreate this. Is it only available on Android? or is there an iOS version as well?

KeePass is an open source and "self hosted" password manager. Thus there are plenty of clients for every OS available. You can find all available clients here https://keepass.info/download.html

[duncanam]

Hmm, interesting

I might get KeePassDX to see if I can recreate this. Is it only available on Android? or is there an iOS version as well?

I believe KeePassDX is an android-only app. But, based on fact that OP is literally copy and pasting the password, and I am doing a presumably "direct type" method, I am not fully convinced it is a keepass issue yet.