Project

General

Profile

Actions

Bug #56004

closed

Retain username when entering an insecure password

Added by Michael Schams about 10 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
-
Start date:
2014-02-16
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
easy
Is Regression:
No
Sprint Focus:

Description

When installing TYPO3 CMS 6.2 from scratch, at the step create user and import base data, you have the option to enter a username and a password for the initial administrator user. Field username is pre-filled with "admin".

- change "admin" to your own username (e.g. "firstname.lastname")
- use a short, insecure password
- click "continue" button

Message appears "Administrator password not good enough!" and form comes up again.
At this point, field username falls back to "admin".

However, the username was not the problem and from a usability perspective you would expect that valid data entered should remain. Therefore, the field should be pre-filled with the previously entered value (e.g. "firstname.lastname") rather than fall-back to "admin".

This issue occurs in TYPO3 CMS 6.2.0beta5.


Files

screenshot0014.png (39.3 KB) screenshot0014.png Michael Schams, 2014-02-16 03:57
screenshot-20200116-0850.png (163 KB) screenshot-20200116-0850.png Michael Schams, 2020-01-15 22:59

Related issues 3 (1 open2 closed)

Related to TYPO3 Core - Feature #21659: Introduce Password PoliciesClosed2009-11-24

Actions
Related to TYPO3 Core - Feature #80793: provide configurable password policiesClosed2017-04-10

Actions
Related to TYPO3 Core - Feature #80792: Password strength meter for BE LoginNew2017-04-10

Actions
Actions #1

Updated by Mathias Schreiber over 8 years ago

  • Target version set to next-patchlevel
  • Complexity set to easy
Actions #2

Updated by Benni Mack over 8 years ago

  • Status changed from New to Accepted

thought it would be an easy fix, but took me a bit longer, still haven't gotten it to work (due to redirect stuff in the install tool).

Actions #3

Updated by Riccardo De Contardi almost 7 years ago

  • Related to Feature #80793: provide configurable password policies added
Actions #4

Updated by Riccardo De Contardi almost 7 years ago

  • Related to Feature #80792: Password strength meter for BE Login added
Actions #5

Updated by Oliver Hader about 5 years ago

  • Category changed from Install Tool to Security
  • Target version deleted (next-patchlevel)
Actions #6

Updated by Benni Mack about 4 years ago

  • Status changed from Accepted to Needs Feedback

Hi Michael,

please re-check if this is still an issue with TYPO3 v9+

Actions #7

Updated by Michael Schams about 4 years ago

I have re-tested the behaviour in 9.5.13. We can close this ticket as we are now using JavaScript to verify the password strength:
typo3/sysext/install/Resources/Public/JavaScript/Modules/PasswordStrength.js

See attached screenshot-20200116-0850.png.

Using a weak/short password is reported in real-time while entering the data and the submit button remains disabled.
Therefore the username is not changed/cleared.

Actions #8

Updated by Benni Mack about 4 years ago

  • Status changed from Needs Feedback to Closed

Thanks for your feedback, Michael!

Actions

Also available in: Atom PDF