(bug): Limited password validation on forgot password
Summary
When you forget your password, the password strength enforcement is different. Characters like @ are not allowed, but all lower case with no numbers and symbols is.
Steps to reproduce
- Log out
- Click on forgot my password on login form
- follow instructions
- try an all lower case password with an @
- try removing the @
Platform information
Very likely cross-platform but reproduced on S7 edge.
What is the current bug behavior?
Weak passwords are allowed.
What is the expected correct behavior?
Weak passwords should not be allowed.
Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's very hard to read otherwise.)
Possible fixes
(If you can, link to the line of code that might be responsible for the problem)
added 1 - High P - Onboarding P - Platform T - Bug labels
changed title from (high): Limited password validation on forgot password to (bug): Limited password validation on forgot password
assigned to @benhayward.ben
changed weight to 3
changed milestone to %sprint: Hipster Hedgehog
added S - InProgress label
added S - Review label and removed S - InProgress label
changed weight to 5
changed milestone to %sprint: Hipster Hedgehog
changed weight to 5
moved from engine#513 (closed)
mentioned in merge request !369
removed S - Review label
- Owner
This is for the backend to restrict, not the frontend
- Developer
Good point, back-end is needed, my personal preference then would be to put front-end and back-end validation in, which allows us to handle incorrect passwords without throwing unneeded requests at the server.
That being said I'm sure you've considered that already, so I'll re-do this for the back-end this sprint.