password complexity requirement not shown to user #4279

Closed
opened 2025-11-02 05:44:40 -06:00 by GiteaMirror · 7 comments
Owner

Originally created by @8ctopus on GitHub (Nov 10, 2019).

  • Gitea version (or commit ref): 1.10.0-rc2
  • Git version: 2.17.1
  • Operating system: Ubuntu 18.04.3 LTS
  • Database (use [x]):
    • MySQL
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant

Description

The password complexity requirement rules are not shown on account creation/password reset so it's hard for users to figure out what is a valid password and what isn't. Therefore it would be great to show the rules in the error message as on the screenshot.

2019-11-10_113606

Originally created by @8ctopus on GitHub (Nov 10, 2019). - Gitea version (or commit ref): 1.10.0-rc2 - Git version: 2.17.1 - Operating system: Ubuntu 18.04.3 LTS - Database (use `[x]`): - [x] MySQL - Can you reproduce the bug at https://try.gitea.io: - [x] Yes (provide example URL) - [ ] No - [ ] Not relevant ## Description The password complexity requirement rules are not shown on account creation/password reset so it's hard for users to figure out what is a valid password and what isn't. Therefore it would be great to show the rules in the error message as on the screenshot. ![2019-11-10_113606](https://user-images.githubusercontent.com/13252042/68540099-8e035f80-03ae-11ea-824e-1f50df2431b6.png)
GiteaMirror added the topic/ui label 2025-11-02 05:44:40 -06:00
Author
Owner

@lunny commented on GitHub (Nov 10, 2019):

This is something annoying.

@lunny commented on GitHub (Nov 10, 2019): This is something annoying.
Author
Owner

@bwenrich commented on GitHub (Nov 11, 2019):

This would be a good usability improvement, so users will know immediately what they have to correct.

Ideally, it could identify which rule(s) are not passing, but I see two problems with that based on existing logic in https://github.com/go-gitea/gitea/blob/master/modules/password/password.go#L58:

  1. The function returns only a boolean, without identifying the failed rule(s)
  2. The function appears to exit as soon as the first failure is found. So it is possible that another complexity rule would also fail, but it not yet checked.

Since the complexity rules are also configurable with parameters like MIN_PASSWORD_LENGTH and PASSWORD_COMPLEXITY, there would need to be some kind of logic to dynamically construct the summary of complexity rules out of locale strings.

@bwenrich commented on GitHub (Nov 11, 2019): This would be a good usability improvement, so users will know immediately what they have to correct. Ideally, it could identify which rule(s) are not passing, but I see two problems with that based on existing logic in https://github.com/go-gitea/gitea/blob/master/modules/password/password.go#L58: 1. The function returns only a boolean, without identifying the failed rule(s) 2. The function appears to exit as soon as the first failure is found. So it is possible that another complexity rule would also fail, but it not yet checked. Since the complexity rules are also configurable with parameters like MIN_PASSWORD_LENGTH and PASSWORD_COMPLEXITY, there would need to be some kind of logic to dynamically construct the summary of complexity rules out of locale strings.
Author
Owner

@zeripath commented on GitHub (Nov 11, 2019):

@bwenrich would you be able to put up a pr?

@zeripath commented on GitHub (Nov 11, 2019): @bwenrich would you be able to put up a pr?
Author
Owner

@8ctopus commented on GitHub (Nov 11, 2019):

@bwenrich some of the logic must be implemented separately as if you make a password that is too short, you will get the appropriate error message: "Password length cannot be less than 6 characters."

@8ctopus commented on GitHub (Nov 11, 2019): @bwenrich some of the logic must be implemented separately as if you make a password that is too short, you will get the appropriate error message: "Password length cannot be less than 6 characters."
Author
Owner

@bwenrich commented on GitHub (Nov 11, 2019):

Thank you @zeripath and @8ctopus for the feedback. I am not familiar yet with the full logic flow of the password validation and all the places it might be used.

I see now that there is an existing separate check for setting.MinPasswordLength which produces the "password_too_short" locale message. And then the password.IsComplexEnough function checks other complexity rules associated with the "password_complexity" locale message.

My opinion is that there should be some functionality to show all the password requirements to the user (both length and complexity), though I don't know how to implement this.

Should there also be some way to see this (ie: a tooltip or collapseable menu) before submitting the page?

@bwenrich commented on GitHub (Nov 11, 2019): Thank you @zeripath and @8ctopus for the feedback. I am not familiar yet with the full logic flow of the password validation and all the places it might be used. I see now that there is an existing separate check for setting.MinPasswordLength which produces the "password_too_short" locale message. And then the password.IsComplexEnough function checks other complexity rules associated with the "password_complexity" locale message. My opinion is that there should be some functionality to show all the password requirements to the user (both length and complexity), though I don't know how to implement this. Should there also be some way to see this (ie: a tooltip or collapseable menu) before submitting the page?
Author
Owner

@guillep2k commented on GitHub (Nov 11, 2019):

I don't think it's necessary to show exactly what failed. Only what rules are in place. e.g.:

You password don't pass the minimum requirements:
- Minimum length of 6 characters.
- At least one digit.
- At least one uppercase letter ...

etc. This message requires less changes and it's easier to synthesize and translate.

@guillep2k commented on GitHub (Nov 11, 2019): I don't think it's necessary to show exactly what failed. Only what rules are in place. e.g.: ``` You password don't pass the minimum requirements: - Minimum length of 6 characters. - At least one digit. - At least one uppercase letter ... ``` etc. This message requires less changes and it's easier to synthesize and translate.
Author
Owner

@8ctopus commented on GitHub (Nov 12, 2019):

agreed just rules would suffice.

@8ctopus commented on GitHub (Nov 12, 2019): agreed just rules would suffice.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#4279