Bug #56004

Retain username when entering an insecure password

Added by Michael Schams over 8 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
-
Start date:
2014-02-16
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
easy
Is Regression:
No
Sprint Focus:

Description

When installing TYPO3 CMS 6.2 from scratch, at the step create user and import base data, you have the option to enter a username and a password for the initial administrator user. Field username is pre-filled with "admin".

- change "admin" to your own username (e.g. "firstname.lastname")
- use a short, insecure password
- click "continue" button

Message appears "Administrator password not good enough!" and form comes up again.
At this point, field username falls back to "admin".

However, the username was not the problem and from a usability perspective you would expect that valid data entered should remain. Therefore, the field should be pre-filled with the previously entered value (e.g. "firstname.lastname") rather than fall-back to "admin".

This issue occurs in TYPO3 CMS 6.2.0beta5.


Files

screenshot0014.png (39.3 KB) screenshot0014.png Michael Schams, 2014-02-16 03:57
screenshot-20200116-0850.png (163 KB) screenshot-20200116-0850.png Michael Schams, 2020-01-15 22:59

Related issues

Related to TYPO3 Core - Feature #21659: Introduce Password PoliciesClosed2009-11-24

Actions
Related to TYPO3 Core - Feature #80793: provide configurable password policiesOn Hold2017-04-10

Actions
Related to TYPO3 Core - Feature #80792: Password strength meter for BE LoginNew2017-04-10

Actions
#1

Updated by Mathias Schreiber over 6 years ago

  • Target version set to next-patchlevel
  • Complexity set to easy
#2

Updated by Benni Mack over 6 years ago

  • Status changed from New to Accepted

thought it would be an easy fix, but took me a bit longer, still haven't gotten it to work (due to redirect stuff in the install tool).

#3

Updated by Riccardo De Contardi over 5 years ago

  • Related to Feature #80793: provide configurable password policies added
#4

Updated by Riccardo De Contardi over 5 years ago

  • Related to Feature #80792: Password strength meter for BE Login added
#5

Updated by Oliver Hader over 3 years ago

  • Category changed from Install Tool to Security
  • Target version deleted (next-patchlevel)
#6

Updated by Benni Mack over 2 years ago

  • Status changed from Accepted to Needs Feedback

Hi Michael,

please re-check if this is still an issue with TYPO3 v9+

#7

Updated by Michael Schams over 2 years ago

I have re-tested the behaviour in 9.5.13. We can close this ticket as we are now using JavaScript to verify the password strength:
typo3/sysext/install/Resources/Public/JavaScript/Modules/PasswordStrength.js

See attached screenshot-20200116-0850.png.

Using a weak/short password is reported in real-time while entering the data and the submit button remains disabled.
Therefore the username is not changed/cleared.

#8

Updated by Benni Mack over 2 years ago

  • Status changed from Needs Feedback to Closed

Thanks for your feedback, Michael!

Also available in: Atom PDF