Community Forum

Flaw in "Reset your Password" flow

New Poster

Flaw in "Reset your Password" flow

Hi there! Not a question, per se, more of a problem I found 

 

I use a password manager and, upon resetting my password to my account, used my manager's password generator feature. This auto-filled the "new password" slots with generated passwords and auto-submitted them to Xfinity, and they were accepted. The only problem is that my password generator was set to ~30 characters, and xfinity limits passwords to 8-16 characters. Normally, if a user types out the password, a red text box appears and notifies the user that the password must be within the length constraint and does not allow the user to proceed with a password outside the length. However, because my password manager auto-filled and auto-submitted the passwords, I bypassed that block and managed to reset my password to this ~30 character long password. This prevented me from logging in, because my ~30 character password that Xfinity claimed was saved was not correct. I simply reset my password to a password within the specified length and was able to login again, but I thought the issue be brought to light either way. The "Reset your Password" flow should either account for a user to potentially auto-fill and auto-submit a password that is longer than 16 characters, or the flow should have the upper limit on length be removed. My preference on the latter, being someone concerned with computer security... Smiley Wink 

 

Thanks for your time!

 

-C