After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 700333 - All passwords are 'not good enough' if the username field is empty
All passwords are 'not good enough' if the username field is empty
Status: RESOLVED OBSOLETE
Product: gnome-initial-setup
Classification: Applications
Component: general
0.10
Other Linux
: Normal minor
: ---
Assigned To: GNOME Initial Setup maintainer(s)
GNOME Initial Setup maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2013-05-14 19:43 UTC by Adam Williamson
Modified: 2017-06-01 08:31 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
account: Update password hints based on username changes (4.59 KB, patch)
2013-06-06 22:04 UTC, Michael Wood
needs-work Details | Review

Description Adam Williamson 2013-05-14 19:43:04 UTC
On the 'create a user' step of g-i-s, if you enter a password before entering a username, your password always shows as 'not good enough' (or 'too short'), no matter how good it is.

If you leave a 'good' password entered and type anything into the 'username' field, the password 'magically' becomes good.

gnome-initial-setup-0.10-1.fc19.x86_64
Comment 1 Allan Day 2013-05-17 12:54:52 UTC
Make password entry insensitive if there's not a valid user name?
Comment 2 Michael Wood 2013-06-06 22:04:19 UTC
Created attachment 246193 [details] [review]
account: Update password hints based on username changes

- Username changes update the password hint as passwords which contain
  parts of the username need to be re-validated.
- Fix leak of the username.
- Make sure that the validation state is reset so that the previous hint
  doesn't continue to be displayed.
Comment 3 Jasper St. Pierre (not reading bugmail) 2013-06-16 03:57:35 UTC
Review of attachment 246193 [details] [review]:

This contains a bunch of random unrelated changes. Can you split some of these out?

::: gnome-initial-setup/pages/account/gis-account-page.c
@@ +353,3 @@
+  if (strlen (username) == 0) {
+      g_free (username);
+      username = NULL;

I'm confused. Is this implying that pw_strength treats a NULL username differently from a zero-length one? That seems like a libpwquality bug to me.

@@ +372,3 @@
+  clear_entry_validation_error (GTK_ENTRY (password_entry));
+
+  if (strength < 0.5)

Why was this changed?
Comment 4 Michael Wood 2013-06-17 17:31:52 UTC
(In reply to comment #3)
> Review of attachment 246193 [details] [review]:
> 
> This contains a bunch of random unrelated changes. Can you split some of these
> out?
> 
> ::: gnome-initial-setup/pages/account/gis-account-page.c
> @@ +353,3 @@
> +  if (strlen (username) == 0) {
> +      g_free (username);
> +      username = NULL;
> 
> I'm confused. Is this implying that pw_strength treats a NULL username
> differently from a zero-length one? That seems like a libpwquality bug to me.
> 

Yes, in pwquality it only checks for NULL and not 0 length. So the null terminator gets matched (I think) and the user gets "Password contains Username" etc

libpwquality / check.c:498


> @@ +372,3 @@
> +  clear_entry_validation_error (GTK_ENTRY (password_entry));
> +
> +  if (strength < 0.5)
> 
> Why was this changed?

Can't remember any more, I'll pull it out.
Comment 5 Jasper St. Pierre (not reading bugmail) 2013-06-17 17:42:13 UTC
(In reply to comment #4)
> Yes, in pwquality it only checks for NULL and not 0 length. So the null
> terminator gets matched (I think) and the user gets "Password contains
> Username" etc
> 
> libpwquality / check.c:498

Yeah, that seems like libpwquality's fault.
Comment 6 Michael Wood 2013-06-17 18:04:01 UTC
Will wait on: https://fedorahosted.org/libpwquality/ticket/1
Comment 7 Adam Williamson 2013-06-17 18:06:14 UTC
We need this fixed for downstream PDQ, as in, within the next week or so. Waiting on upstream libpwquality changes may not be practical for Fedora. We can always carry a downstream patch if necessary, but just highlighting the urgency.
Comment 8 Adam Williamson 2013-06-17 18:06:31 UTC
er, oh wait, that's a different issue. this one isn't so serious. never mind.
Comment 9 Ondrej Holy 2013-07-03 17:02:24 UTC
(In reply to comment #6)
> Will wait on: https://fedorahosted.org/libpwquality/ticket/1

Filed also at:
https://bugzilla.redhat.com/show_bug.cgi?id=980968
Comment 10 Ondrej Holy 2013-07-17 12:40:27 UTC
It has been fixed in libpwquality:

https://bugzilla.redhat.com/show_bug.cgi?id=980968
Comment 11 Michael Wood 2013-07-17 13:01:44 UTC
Not fixed yet, this wasn't just a libpwquality issue
Comment 12 Ondrej Holy 2017-06-01 08:31:57 UTC
Username and password are set on two different pages, so this should not be an issue currently...