#6111 closed defect (bug) (fixed)
User can input old password as new
Reported by: | slaFFik | Owned by: | imath |
---|---|---|---|
Milestone: | 2.3 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Settings | Keywords: | good-first-bug has-patch needs-testing |
Cc: |
Description
... when changing the password on /members/slaffik/settings/
Not sure this is a right decision. IMO we should check that they are different (old vs new)
Attachments (2)
Change History (14)
#2
@
10 years ago
- Keywords needs-patch good-first-bug added
- Milestone changed from Awaiting Review to Future Release
I think slaFFik is saying you can complete this form by putting the same password in the "old" and "new" screens, and is suggesting we ought to displaying an error if the new password is identical. I think it's worth adding such feedback to the UI, or, surfacing WordPress' error messages if this is another one we are hiding.
#3
@
10 years ago
Yeah, assuming that DJPaul's interpretation is correct, let's do this. If this is about keeping password history, I say wontfix - this is WP territory.
#4
@
10 years ago
Just to chip in with my two pennies worth...
If a member has changed their password, then that indicates either a) they had forgotten their old password or b) their old password had been compromised. If it's the case of the latter and at a later date the member again changes their password (this time to the old compromised password perhaps forgetting it was compromised in the past) then that could pose a security threat.
If remembering old passwords is a trivial thing to do then I'd opt for that approach.
#6
@
10 years ago
- Keywords has-patch added; needs-patch removed
@slaFFik cool :)
In that case, please see 6111.diff which checks if the user-submitted new password is different to the user-submitted current password. If they're the same then an error message is given.
#8
@
10 years ago
Thanks for the patch!
Regarding different to in error message:
http://www.oxforddictionaries.com/words/different-from-than-or-to
Perhaps, different from should be used instead?
#9
@
10 years ago
You're right. "different from" is more commonly used. I blame my local dialect :)
See 6111.02.diff
#10
@
10 years ago
- Owner set to imath
- Resolution set to fixed
- Status changed from new to closed
In 9628:
#11
@
10 years ago
- Resolution fixed deleted
- Status changed from closed to reopened
We were too quick on the latest commit. The super admin do not have to specify his current password to change his password ( the "pwd" input is not set ).
As a result when a super admin changes his password from the user settings, we get a notice.
That would require keeping track of passwords.
If we decided to do this, do we keep this as a user meta entry with an array of the older hashed passwords? This doesn't sound good from a security standpoint:
http://resources.infosecinstitute.com/wordpress-password-hashes/
The default hashing algorithm can be cracked with brute-force.