Ticket #13114 (closed Bug: fixed)

Opened 3 years ago

Last modified 3 years ago

Non-ASCII characters in passwords don't work

Reported by: khink Owned by:
Priority: minor Milestone: 4.x
Component: General Version: 4.2
Keywords: login, encoding, patch Cc:

Description (last modified by khink) (diff)

Using special characters (like German umlauts) in passwords doesn't seem to work, and doesn't give a proper message to the user.

Steps to reproduce:

  • Create a new 4.2 site
  • Enable self-registration and allow users to pick their own passwords
  • Register a new user, set "äaaaa" as password
  • Portal message reports an error: 'ascii' codec can't encode character u'\xe4' in position 0: ordinal not in range(128), but the main area of the overlay reads "Welcome! You have been registered. Click the button to log in immediately."
  • Clicking the "Log in" button gives a "login failed" error message.
  • Re-entering the loginname and password gives the same result, ie. the user cannot log in.

Proposed solution: A validator that forbids special characters in passwords and produces a decent explanation for users.

Change History

comment:1 Changed 3 years ago by khink

  • Description modified (diff)
  • Summary changed from Umlauts in passwords don't work to Special characters in passwords don't work

comment:3 Changed 3 years ago by kleist

  • Keywords encoding, patch added; encoding removed
  • Status changed from new to confirmed
  • Component changed from Unknown to General

comment:4 Changed 3 years ago by davisagli

We should make special characters work; not disallow them. Arbitrarily constraining the space of possible passwords just makes things easier for crackers.

comment:5 Changed 3 years ago by khink

  • Summary changed from Special characters in passwords don't work to Non-ASCII characters in passwords don't work

Renamed "special characters" to "non-ASCII characters" - they're not so special!

comment:6 Changed 3 years ago by davisagli

  • Status changed from confirmed to closed
  • Resolution set to fixed

I applied a different fix which actually makes it possible to use non-ASCII characters in passwords:  https://github.com/plone/plone.app.users/commit/346c9c9a8e381881d07b08c9b55c50e059776270 (also applied to the 1.1.x branch for Plone 4.2)

Note: See TracTickets for help on using tickets.