Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-5786

Service Desk customer sign up/password reset page does not indicate if the password does not meet the password policy requirements

XMLWordPrintable

      Summary

      Service Desk customer sign up/password reset page does not indicate if the password does not meet the password policy requirements

      Environment

      • Jira Service Desk 3.12.1
      • Jira Server has enabled some password policy per /secure/admin/EditPasswordPolicy.jspa

      Steps to Reproduce (Sign up)

      1. As a Jira administrator, enable any password policy on /secure/admin/EditPasswordPolicy.jspa (default is disabled, for the sake of this test, let's try to use 'Secure' option which
        • Requires passwords to be at least 10 characters long and use at least 3 character types including at least 1 special character.
        • Rejects passwords that are even slightly similar to the previous password or the user's public information.
      2. As a JSD project administrator, go to the project administration page
      3. From the left sidebar, choose customers
      4. Then click the Add customers button in the top right corner
      5. Enter a new customer's email address to invite them to the JSD project
      6. As the customer at the other end of that email address, click the link in the email to go to Jira to setup your account
      7. Enter in a password that does not meet the password policy in place for Jira, example password used ABCdef123456 (long enough, uses 3 character types, but has no special characters)

      Steps to Reproduce (Password Reset)

      1. As a Jira administrator, enable any password policy on /secure/admin/EditPasswordPolicy.jspa (default is disabled, for the sake of this test, let's try to use 'Secure' option which
        • Requires passwords to be at least 3 characters long and use at least 3 character types including at least 1 special character.
        • Rejects passwords that are even slightly similar to the previous password or the user's public information.
      2. As a JSD project administrator, go to the project administration page
      3. From the left sidebar, choose customers
      4. Then click the Add customers button in the top right corner
      5. Enter a new customer's email address to invite them to the JSD project
      6. As the customer at the other end of that email address, click the link in the email to go to Jira to setup your account
      7. Enter in a password that does not meet the password policy in place for Jira, example - previous password

      Expected Results

      This page in Jira should tell the end user that their password does not meet the password policy currently in place for this Jira site. AND The page should indicate which specific element of the password policy was not met. (In this case the lack of a special character)

      Actual Results

      • Nothing happens on the page.
      • The end user is not able to continue.
      • No visible error or warning appears in the browser
      • Only when looking at the browser console log can you see a HTTP 400 error (bad request) when trying to continue. Upon inspection of a HAR file of this even can we see a json response of 
        {"errors":[],"reasonKey":"The password must satisfy the password policy","reasonCode":"400"}

        However this response does not have any way currently to appear to the end user.

      Notes

      Workaround

      The Jira administrator either has to

      • Convey the password requirements ahead of time to the new user OR
      • temporarily disable the password policy

      Another scenario from JSDSERVER-5791: Service Desk customer sign up page does not indicate why account cannot be created is during account creation. It gives a different error but it seems to be the same root cause.

        1. passwordsetuppage.png
          passwordsetuppage.png
          54 kB

          Form Name

            [JSDSERVER-5786] Service Desk customer sign up/password reset page does not indicate if the password does not meet the password policy requirements

            Lachlan G (Inactive) added a comment -

            3.16.3 is now released.

            Lachlan G (Inactive) added a comment - 3.16.3 is now released.

            Matt Cavanagh added a comment -

            Hello,

            Atlassian, please issue an update for this ticket as it's also affecting our customers.

            Matt Cavanagh added a comment - Hello, Atlassian, please issue an update for this ticket as it's also affecting our customers.

            James Nurse added a comment -

            Bug was raised almost a year ago with High Priority & Severity 2 yet its not even planned for a release yet? This issue can literally stop people using JSD if they are not aware enough to hover over the small i to manually view the password policy when changing their password/setting up an account. 

             

            The workarounds suggested?

            • Tell customers ahead of time? Cant possibly do this when you have new & random customers emailing support tickets in
            • Disable the password policy? So we can just allow users to create accounts with basic passwords while handing potentially confidential data both in JSD and Jira Software

            These are not real workarounds, this issue does not have a proper workaround and needs looking into ASAP

            James Nurse added a comment - Bug was raised almost a year ago with High Priority & Severity 2 yet its not even planned for a release yet? This issue can literally stop people using JSD if they are not aware enough to hover over the small i to manually view the password policy when changing their password/setting up an account.    The workarounds suggested? Tell customers ahead of time? Cant possibly do this when you have new & random customers emailing support tickets in Disable the password policy? So we can just allow users to create accounts with basic passwords while handing potentially confidential data both in JSD and Jira Software These are not real workarounds, this issue does not have a proper workaround and needs looking into ASAP

            Jiri Kanicky added a comment -

            As we were asked for Impact... I believe that if customers are not able to reset their passwords, it qualifies as pretty big problem. Every single customer of ours is raising ticket with our IT department that they are not able to reset password.

            Please note that we also have password expiry policy set to 90 days and the users are facing the same issue.

            How would Atlassian like if every single customer sends them support request to reset their password manually?

            Jiri Kanicky added a comment - As we were asked for Impact... I believe that if customers are not able to reset their passwords, it qualifies as pretty big problem. Every single customer of ours is raising ticket with our IT department that they are not able to reset password. Please note that we also have password expiry policy set to 90 days and the users are facing the same issue. How would Atlassian like if every single customer sends them support request to reset their password manually?

            Jiri Kanicky added a comment -

            Hi,

            There is one additional issue and I can reproduce it with
            Crowd: 3.3.2
            JIRA: 7.12.3
            Service Desk: 3.15.3

            When user types new password which does not meet the password policy, the user is not able to type different password during second attempt. The token is invalidated by typing the incorrect password during the first attempt.

            I think the user should have more attempts available when typing the new password.

            Jiri Kanicky added a comment - Hi, There is one additional issue and I can reproduce it with Crowd: 3.3.2 JIRA: 7.12.3 Service Desk: 3.15.3 When user types new password which does not meet the password policy, the user is not able to type different password during second attempt. The token is invalidated by typing the incorrect password during the first attempt. I think the user should have more attempts available when typing the new password.

            Mark Hall added a comment -

            We found this same issue today when starting testing with Service Desk.  The effect is that the sign-up page appears totally unresponsive when customers try to register with passwords that don't qualify under the current Jira Password policy.  
            As it is, we cannot use Service Desk as we are not prepared to disable the password policy.   As the error message is already returned from the server-side, hopefully the fix (to display the error) is trivial.

            Mark Hall added a comment - We found this same issue today when starting testing with Service Desk.  The effect is that the sign-up page appears totally unresponsive when customers try to register with passwords that don't qualify under the current Jira Password policy.   As it is, we cannot use Service Desk as we are not prepared to disable the password policy.   As the error message is already returned from the server-side, hopefully the fix (to display the error) is trivial.

              kkanojia Kunal Kanojia
              aheinzer Andy Heinzer
              Affected customers:
              20 This affects my team
              Watchers:
              21 Start watching this issue

                Created:
                Updated:
                Resolved: