Password reset allows backslash, but roduces a broken password

josef.etz · March 5, 2021, 3:27pm

Hi,
when I click ‘password forgotten’, receive a mail and open the link to reset the password, the dialog tells me which characters are allowed:
Special charactres (e.g. !@#$%^&*)

Anyways, it allows me to use all kind of other special characters.
Unfortunately some special charcters will produce a password, that will not work.

Accoding to my finding at least backslash is an issue. I have the feeling that there are more

E.g.
does not work
N9.6\G)xNV!

works:
N9.6.G.xNV.
N9.6.G)xNV!
N9%6.G)xNV!
N9%6-G)xNV!,mpQ~('!<=]@{#~;,{}/#?^.=,<#=?|<,#<.]:^!-

Ale · March 7, 2021, 3:10am

Welcome to the Auth0 Community @josef.etz!

I think there might be a misunderstanding. “e.g.” means “for example”, so we didn’t want to include a full list of special characters there but just a sub-set that would serve just as an example.

The supported Special Characters are the ones defined in the OWASP Password Policy recommendation document, so they are: " !"#$%&'()*+,-./:;<=>?@[]^_`{|}~ ". You can review this in one of our libraries too: password-sheriff/contains.js at master · auth0/password-sheriff · GitHub

Regarding the problem with the backslash character, I’ve just tested the password you said “N9.6\G)xNV!” and it did work for me: I changed the password for one of my users, assigned that one you’ve said, and tried to log in with that new password successfully. Could you describe your reproduction steps and what error/behaviour you are observing, please?

konrad.sopala · March 8, 2021, 10:20am

Thanks for helping with this one @Ale !