password complexity requirement not shown to user

[8ctopus]

• Gitea version (or commit ref): 1.10.0-rc2
• Git version: 2.17.1
• Operating system: Ubuntu 18.04.3 LTS
• Database (use [x]):
  • MySQL
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant

Description

The password complexity requirement rules are not shown on account creation/password reset so it's hard for users to figure out what is a valid password and what isn't. Therefore it would be great to show the rules in the error message as on the screenshot.

[lunny]

This is something annoying.

[bwenrich]

This would be a good usability improvement, so users will know immediately what they have to correct.

Ideally, it could identify which rule(s) are not passing, but I see two problems with that based on existing logic in https://github.com/go-gitea/gitea/blob/master/modules/password/password.go#L58:

1. The function returns only a boolean, without identifying the failed rule(s)
2. The function appears to exit as soon as the first failure is found. So it is possible that another complexity rule would also fail, but it not yet checked.

Since the complexity rules are also configurable with parameters like MIN_PASSWORD_LENGTH and PASSWORD_COMPLEXITY, there would need to be some kind of logic to dynamically construct the summary of complexity rules out of locale strings.

[zeripath]

@bwenrich would you be able to put up a pr?

[8ctopus]

@bwenrich some of the logic must be implemented separately as if you make a password that is too short, you will get the appropriate error message: "Password length cannot be less than 6 characters."

[bwenrich]

Thank you @zeripath and @8ctopus for the feedback. I am not familiar yet with the full logic flow of the password validation and all the places it might be used.

I see now that there is an existing separate check for setting.MinPasswordLength which produces the "password_too_short" locale message. And then the password.IsComplexEnough function checks other complexity rules associated with the "password_complexity" locale message.

My opinion is that there should be some functionality to show all the password requirements to the user (both length and complexity), though I don't know how to implement this.

Should there also be some way to see this (ie: a tooltip or collapseable menu) before submitting the page?

[guillep2k]

I don't think it's necessary to show exactly what failed. Only what rules are in place. e.g.:

You password don't pass the minimum requirements:
- Minimum length of 6 characters.
- At least one digit.
- At least one uppercase letter ...

etc. This message requires less changes and it's easier to synthesize and translate.

[8ctopus]

agreed just rules would suffice.