Next

Summary

When you forget your password, the password strength enforcement is different. Characters like @ are not allowed, but all lower case with no numbers and symbols is.

Steps to reproduce

1. Log out
2. Click on forgot my password on login form
3. follow instructions
4. try an all lower case password with an @
5. try removing the @

Platform information

Very likely cross-platform but reproduced on S7 edge.

What is the current bug behavior?

Weak passwords are allowed.

What is the expected correct behavior?

Weak passwords should not be allowed.

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's very hard to read otherwise.)

Possible fixes

(If you can, link to the line of code that might be responsible for the problem)

added 1 - High P - Onboarding P - Platform T - Bug labels

changed title from (high): Limited password validation on forgot password to (bug): Limited password validation on forgot password

assigned to @benhayward.ben

changed weight to 3

changed milestone to %sprint: Hipster Hedgehog

added S - InProgress label

added S - Review label and removed S - InProgress label

changed weight to 5

changed milestone to %sprint: Hipster Hedgehog

changed weight to 5

moved from #513 (closed)

mentioned in merge request front!369 (closed)

removed S - Review label

This is for the backend to restrict, not the frontend

Good point, back-end is needed, my personal preference then would be to put front-end and back-end validation in, which allows us to handle incorrect passwords without throwing unneeded requests at the server.

That being said I'm sure you've considered that already, so I'll re-do this for the back-end this sprint.

added S - InProgress label

changed milestone to %sprint: Hipster Hedgehog

changed weight to 5

moved from front#1442 (closed)