[Beta Test] Server 2.2.7-beta - Password Complexity Test

Joplin Server 2.2.7-beta introduces a password complexity test when changing the user password (not on signup - yet?). Whilst it works "as is" for the "I have forgotten my password" resets (note1) it is not quite right when logging in to change the password.

A suggestion is to make it clear that a password warning is not just a warning; it also means that the password has been rejected and so not changed.

Just thinking of users who change their password to what is considered a weaker one, ignored the "warning", and have overwritten their password in their text file password list or thrown away the old post-it :slight_smile: They will only find that the new one does not work when they have logged out and try to log in again or try to use it for syncing.

Being the sync password it probably isn't going to be changed that much, but I am sure that it will happen!

(note1) Additionally the URL in the password reset email is just text and not hyperlinked.

EDIT: Just thought I'd add that the server software is getting pretty damn slick...



It's throwing an error if the password is not complex enough but I guess on this page it's somehow not displaying it. Thanks for the report, I'll check.

As for the signup page, I'm not really supporting it at the moment but I suppose it should also display the JS password handling, because server side it's doing the check.

I can't replicate this either. If I try to change my password I'm getting this as expected:

Is it not happening for you?

I obviously had a bad day when submitting this and my other "observation".

"A suggestion is to make it clear that a password warning is not just a warning; it also means that the password has been rejected and so not changed."

I did not mean that it did not show. I meant that it was not clear that the password was not being accepted.

  1. As an admin I went to change a user password to a simple password
  2. there was a small warning under the password entry box but I was still allowed to submit the page
  3. I got the big warning and I ignored it, thinking that the password had been accepted at step 2
  4. I went to use it and found I could not login and I had to use the old password.

My suggestion was that the "big" warning at step 3 should make it clear that the password has not been changed. Ideally you would not be able to even submit the page at step 2 unless the password meets complexity requirements.

Sure but I'm trying to keep the JS validation code as small as possible, so I probably won't add this.

I guess a bigger issue is that it wasn't clear to you that the message was an error message, and that means changes have not been saved. Maybe I should prefix with "Changes were not saved: ....."

1 Like

It really was that simple... I just went and overcomplicated it ... :man_facepalming:

1 Like

No problem, if it wasn't clear to you, I expect it will not be for other users too. I've now prefixed the message with "Error: Your change were not saved: ...." which should make it clearer.