Password length fails using PasswordGenerator

[llama95]

Were using passay 1.6 with jdk 8/spring-boot environment to generate random one time passwords for users. We have seen occurrences where the password length is not correctly enforced.

Below are the rules we use to generate our otp, the last line of code specifying the length reqd for the otp.

       //rules for our otp
        CharacterData upperCaseChars = EnglishCharacterData.UpperCase;
        CharacterRule upperCaseRule = new CharacterRule(upperCaseChars);
        upperCaseRule.setNumberOfCharacters(1);

        CharacterData lowerCaseChars = EnglishCharacterData.LowerCase;
        CharacterRule lowerCaseRule = new CharacterRule(lowerCaseChars);
        lowerCaseRule.setNumberOfCharacters(1);

        CharacterData digit = EnglishCharacterData.Digit;
        CharacterRule digitRule = new CharacterRule(digit);
        digitRule.setNumberOfCharacters(1);

        CharacterData special = CustomEnglishCharacterData.LimitedSpecial;
        CharacterRule specialRule = new CharacterRule(special);
        specialRule.setNumberOfCharacters(1);

        PasswordGenerator gen = new PasswordGenerator();
        String one_time_password = gen.generatePassword(10, upperCaseRule, lowerCaseRule, digitRule, specialRule);

--> returns this as the one_time_password --> "qP" --> returns this as the one_time_password --> "Tpc" etc

We rely strictly on passay for our password generation and have added in a fix by simply checking that the length of the one_time_password string is equal to 10. Please let me know if there are any additional details I can include to help mitigate the issue.

[dfish3r]

I haven't been able to reproduce this. Can you share your CustomEnglishCharacterData.LimitedSpecial class?

[llama95]

I haven't been able to reproduce this. Can you share your CustomEnglishCharacterData.LimitedSpecial class?

Here you are @dfish3r. I have trouble reproducing it as well and it seems to be a rare occurrence but it indeed has been caught by our qa team more than 5 times now throughout their process.

import org.passay.CharacterData;

public enum CustomEnglishCharacterData implements CharacterData {

    LimitedSpecial(
            "LIMITED_SPECIAL",
            // ASCII symbols
            "!#$%&()*+,-./:;<=>?@[]^_{|}~");
    /**
     * Error code.
     */
    private final String errorCode;
    /**
     * Characters.
     */
    private final String characters;

    CustomEnglishCharacterData(String code, String charString) {
        errorCode = code;
        characters = charString;
    }

    @Override
    public String getErrorCode() {
        return errorCode;
    }

    @Override
    public String getCharacters() {
        return characters;
    }
}

[dfish3r]

I still haven't had any luck with this. Can you share more details surrounding your usage of the library? What patch level of JDK8 are you using?

[llama95]

@dfish3r our application is deployed as a war file to aws via elastic beanstalk using tomcat 8.5 and Corretto 11, i mispoke earlier when I stated were using jdk 8 my bad

[dfish3r]

Did you find the problem? I haven't got back to this to test with JDK 11.

[llama95]

There’s no issue here. Issue was on our end. Apologies, appreciate your responses