0
Under review

20.6.28797.7465> Change Password behaviour

Matthew Held 5 months ago updated by JASON LAVIGNE 5 months ago 3

Received the following from a development contractor regarding his experience with being forced to change his temporary password on his local security account.

----
There is something wrong with the remote access password change. I am getting an error that the current password is wrong, however I have discovered that the issue is something else.

Here is what I tested to confirm

  1. Log on with the temp password provided
  2. Sent to the Change Password page
  3. Enter the current password and a new password twice
  4. Receive the error below
  5. Went back to the log on page
  6. Entered the new password
  7. Sent back to the Change Password page
  8. Entered the new password as the Current Password and a second new password
  9. Receives the same error
  10. Went back to the log on page
  11. The second new password works, however I am back at the Change Password page

The error that I am receiving is not accurate, the current password is correct and the system is changing the password to the new password, however it is stuck in a loop to require the changing of the password.

I was able to gain access by using the Forgot Password link, I was able to reset the password and now I am in. I figured I would bring this to your attention.


ConnectWise Control Version:
20.6
Server Affected:
Host Client Affected:
Guest Client Affected:

I think there is confusion because you're able to access the Change Password page without entering a valid password at the initial login prompt. It sounds like the user never got past the Change Password page, so no new password was being saved. (Although there's some ambiguity over step 11, "the second new password works" - in what way?)

Thanks Eric, I've asked the gentleman who reported the issue to jump on here and chime in with his experience.

Hi,

I am the one who reported this issue.  To clarify, I copied and pasted the temporary password both when I first logged on and second when prompted for the current password, I assumed that upon arriving at the Change Password page, that the password used on the Login page was accepted.  Reading your note, it appears that this is not the case and the Login page is not validating the password before proceeding to the Change Password page.  This also explains why it appeared that my new passwords were being accepted on the Login page as I was also sent to the Change Password page with them.

So to answer your question of how did I know that my new password was accepted in step 11, it was because I was sent to the Change Password page.

It appears that if this is true, the Login page is not validating the password before transferring to the Change Password page then a) I received the wrong temporary password and the error message was correct and b) it led to the assumption that the temporary password was good because it appeared to work on the Login page.

If this is the case, it may be a good idea to validate the password before sending the user to the Change Password page, this would have immediately made it clear to me that the password I received was not good, and it would have removed the confusion and doubt in the error message's accuracy.

Hope that helps,

Jay