Feedback, Complaints or Problems

Signup   Message Boards Home   Newest Posts   My Favorite Boards   My Threads
Page 1 of 1
Signup or Login to Post
Don't use ANSI for your password
Fryst  posted on Aug 05, 2016 2:02:25 AM - Report post

Current rank: 1 Star. Next Rank at 100 Posts.
Send a message to Fryst
I've already sent an email to customer support, this is just to prevent fellow idiots from doing what I did/get this bug fixed.

So I tried to be smart and make a very secure password, while normally a good decision I outsmarted the site and probably made my account impossible to log into, so in a sense I did succeed but I literally cannot log into my account right now so I'm using this at a temporary account to post this.

So I use Keepass 2 for storing and generating my passwords, well I decided to generate a password using High ANSI among other things. So an ANSI character might have a length of two where a normal character has a length of one, I don't think the password form on CH actually notices this and allows 15 character ANSI passwords through which could actually be well over the 15 character limit technically.

I mentioned I cannot log in, I had my password emailed to me because there is no password reset (at least one that I can find while logged out.) What I got was a garbled string of characters that vaguely resembled my randomly generated password, according to Notepad++ what I was sent had a length of 33, my original password has a length of 22. I also looked at the lengths closely and noticed the garbled password CH sent me occupies 22 columns, I imagine that has something to do with my original password being a string with a length of 22.

Moral of the story: don't bother using ANSI for your password, it will ruin your day whenever you need to log in after resetting your password. Hope this helps someone.

Also since this is a feedback board, I seriously suggest a password reset feature that is available if you are not logged in (I mean whats the point of a security question other than account recovery?) Sending an email with users passwords in plain text is way less secure than a temporary password reset URL that works once for ten minutes.

PWizard  posted on Aug 05, 2016 2:24:15 AM - Report post

Send a message to PWizard
The reason these types of passwords don't work is because our multiple web application firewalls see them as a potential SQL injection or XSS attack. Hackers have become very creative with the ways they try and inject data and convince the server to release confidential information. Apologies for this but we'd rather be safe than sorry. Our website is attacked over 200,000 times PER DAY by hacker bots trying to break through our WAFs.

Any other comments or feedback on how to improve the password reset process should be directed at nevermore@cheathappens.com.

[Edited by PWizard, 8/5/2016 2:24:48 AM]

Page 1 of 1
  Post Reply
All times are (GMT -06:00) Central Time (US & Canada). Current time is 5:46:12 PM