cancel
Showing results for 
Search instead for 
Did you mean: 

Logins Broken By New Password Rules

Andrew Neil
Evangelist III

There doesn't seem to be anywhere to post issues with the forum itself?

I couldn't login this morning - the site kept saying my password was wrong.

I know that it wasn't wrong, because I copy it from a password manager.

So I had to do a password reset.

There it became obvious that the password rules (length, upper/lower case, symbols, etc) have changed.

This really shouldn't just break existing passwords

:pouting_face:

At the very least, you should give a message like, "Our password rules have changed; you need to reset your password".

#UXFail

33 REPLIES 33

So maybe you're just luck that your password happened to comply with the new rules?

EDIT

Or perhaps there is an "expiry" ?

May be. I didn't find "the new rules" of the community password.

They'd only appear if you actually tried to change your password.

> Or perhaps there is an "expiry" ?

Or just simply a bug which corrupts the login/password database.

Or just simply a bug when searching/using the login/password database.

JW

An obvious place is in a dedicated subforum of a forum with some structure. ST instead has this buggy tag-based mess. And no, making a page or menu with simple shortcuts to those tag filters doesn't make it into a usable forum. It's as usable as a forum, as a Ford Model T is usable as a car nowadays. Can the decision making employees see the difference between this mess and some real forum?

And Jan is right - ST doesn't listen either. There have been multiple surveys and Camilo interviewed the most active users individually and thoroughly. What's the point of doing that if almost nothing has been done to fix the reported issues? I'm not even talking about big changes, but even the most basic ones are ignored. The "remember me" on a login page still doesn't work. The bug, which requires loading each topic twice (because first time the buttons are missing the text), has not been fixed. While writing posts, writing @ symbol also still doesn't show the list of users at a first time. Longer topics are still pain to read because of "More answers". Not only quoting has not been implemented, but even taking a simple link to a post is not possible. And yes, we are engineers and understand that it's not a simple task to implement it in this not-a-forum mess. That is exactly the reason why we are saying - ditch it and switch to something actually usable!

As for broken logins... I can also report that there have been two times (during last year, months apart) for me that a password suddenly "is not correct" for no apparent reason and I had to do a password reset. And yes, it was not a user error, because that password is saved in a browser and copied from a password manager. It is also highly unlikely that it "doesn't follow the rules" as it is an auto-generated string of 20 random symbols consisting only of English letters and numbers. Sounds like another bug...

'It is also highly unlikely that it "doesn't follow the rules" as it is an auto-generated string of 20 random symbols consisting only of English letters and numbers.'

The current rules actually require you to have at least one from a very limited set of special characters.

EDIT - found it:

0693W000008xpY4QAI.png 

Note that the 'Must Not contain spaces' validation doesn't work - the entered password had no spaces, so this should have been checked & green.

'The "remember me" on a login page still doesn't work'

Indeed it doesn't - and hasn't for years.

'quoting has not been implemented, but even taking a simple link to a post is not possible'

Indeed - pretty sure I noted them in the survey before this version was even adopted.

And there's the inability to paste pictures: https://community.st.com/s/question/0D53W00000euHXrSAM/why-cant-you-publish-a-pasted-image

And the continuing nonsense with people putting the entire question in the title - which the forum actually encourages.

Then that proves the current passwords are not invalidated based on a change of rules, because I've not changed my password this year and it works. Actually, after the password is saved, it shouldn't be even theoretically possible to see it for anyone, including the administrators. Normally only a cryptographically secure hash of the password is stored.

"that proves the current passwords are not invalidated based on a change of rules, because I've not changed my password this year and it works"

I guess it does.

So something else went wrong - it was reporting my password as incorrect when it certainly wasn't.

>:(

By the way that reset page says: "at least three of the following four categories". According to that my password is still valid because it uses uppercase characters, lowercase characters and numbers. And therefore it doesn't prove anything. :D