Bug report: Password change accepts values that login form does not

  • 29 December 2018
  • 3 replies
  • 249 views

I tried to report this through the Chatbot, but got no response there.

Long story short, the password change function in the web app will accept passwords that the login form does not accept. ie, it's possible to set your password to something that cannot actually be used to log in, which then forces a password reset to access the account. It's really annoying when you run into it.

The following two passwords were accepted for changing my password, but not for logging in:
&Wz?=?2rHE
bmUG,jd96V{A

My current password is different than those (since I couldn't use them to login...), so posting them here isn't a security risk. It appears to be Javascript form validation that's blocking login, so you probably just need to make those two forms use the same validation settings. I suspect the problem is the special characters, but I didn't really dig into it.

3 replies

I had this problem today. Using bitwarden to generate new, more secure passwords but can't update my temporary password in mint mobile with it.

The orange box says mint mobile password can ONLY contain

!, @, #, $, %, ^, &, *, (, ), _, +, =, [, ], {, }, ;, :, `, ~


so I added one of these characters to the end of the generated password and it accepted it.
This may be the same thing that's happening with my account. I get one of those machine language type passcodes then try to change to a rememberable password and it's then impossible to login to my account from my phone with the new password.
I have seen the same problem. I use a password generator and it looks like even though a symbol is required, only certain symbols work. I have found that > and $ don't work. It would be nice if Mint would specify which symbols work and which won't.

Reply