Bug 393730

Summary: inst_user_first.ycp advises users to use passwords without special characters
Product: [openSUSE] openSUSE 11.0 Reporter: Ludwig Nussel <lnussel>
Component: YaST2Assignee: Jiří Suchomel <jsuchome>
Status: RESOLVED FIXED QA Contact: Jiri Srain <jsrain>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: Beta 3plus   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ludwig Nussel 2008-05-22 19:10:53 UTC 
inst_user_first.ycp advises users to use passwords "without special characters". It actually wants say that one should not use umlauts, however the way it is written (and then translated to e.g. German(!)) makes it sound like no 'special' characters like $, %, & etc should be used. Later in the text it does explain why Umlauts should be avoided more precisely but no hint is given about how good password look like (and good password should contain non-alphanumeric chars).
Comment 1 Jiří Suchomel 2008-05-23 05:40:53 UTC 
Too late for text changes now.
Comment 2 Marcus Meissner 2008-05-23 06:56:41 UTC 
Its pretty much a security misfeature :/
Comment 3 Jiří Suchomel 2008-05-23 07:24:29 UTC 
So, here are the parts of the help text relevant to password creation:

"When entering a password, distinguish between uppercase and lowercase. Passwords should not contain any special characters, such as accented characters. 
With the current password encryption (Blowfish), the password length should be between 5 and 72 characters. 
For the password, use only characters that can be found on an English keyboard layout. In cases of system error, it may be necessary to log in without a localized keyboard layout. 
To ensure that the password was entered correctly, repeat it exactly in a second field. Do not forget your password."

I admit it can be better, but it is no that misleading as reported.
This text same for quite a long time, so I wonder why there would be security issue right now.

I've closed the bug because if the texts would be changed now, they would  not get translated.
Comment 4 Marcus Meissner 2008-05-23 08:21:30 UTC 
yeah. does not look as bad as it originally sounded.
Comment 5 Stephan Kulow 2008-06-25 09:11:56 UTC 
mass reopening of later+remind bugs of 11.0
Comment 6 Jiří Suchomel 2008-06-25 09:19:03 UTC 
Ludwing, any ideas for better wording?
Comment 7 Ludwig Nussel 2008-06-25 09:28:08 UTC 
s/special characters/umlauts/
Comment 8 Jiří Suchomel 2008-06-25 09:41:55 UTC 
Not very good. There exists other stuff, not only umlaut which are german specific.

I'll use "Passwords should not contain any special characters, such as accented
characters or umlauts".
Comment 9 Ludwig Nussel 2008-06-25 10:14:18 UTC 
That will lead to the same confusing translation. "special characters" means "Sonderzeichen" in German and those are $, % etc. What about "Passwords should not contain accented characters or umlauts".
Maybe merge that with the sentence that comes later that explains the connectoin to the english keyboard layout.
Comment 10 Jiří Suchomel 2008-06-25 11:38:16 UTC 
Maybe it would help to fix the German translation instead.
Comment 11 Jiří Suchomel 2008-07-08 08:33:44 UTC 
fixed in svn