Enhanced Security Maximum Password Length Is Considered False When The Password Has Non-Ascii Characters
Last updated on JUNE 13, 2017
Applies to:Oracle Agile Engineering Data Management - Version 188.8.131.52 and later
Information in this document applies to any platform.
Find that when E6 users that decide to change their passwords using prt_mod_pwd (equivalent to menu Tools->Change Password) will run into warning message "Your password must consist of up to 20 characters!" with passwords of lenght The condition is that default parameter DTV-PWD-MAX-LEN GLOBAL I 20 is set, which will restrict the maximum allowed size of the password to 20 characters.
Max characters size should reflect the maximum allowed number of characters in strings even if is used ascii or non-ascii characters in UTF-8 encoding.
What is working:
All parameters are functioning correctly and the whole functionality behind the process of changing password is working. Changing the password from an admin account from Manager->Permissions->User->Basic Data would actually allow to set the password §$%&/()=?´`°^*+'4q
The issue can be reproduced at will with the following steps:
1. Set default parameter DTV-PWD-MAX-LEN GLOBAL I 20 along with parameter DTV-PWD-ENC GLOBAL L y to enable enhanced security
2. Login into an account and use menu: Tools->Change Password to open the dialog window
3. Change your regular password to "§$%&/()=?´`°^*+'4q" - the count is 18 characters
4. Find warning message: Your password must consist of up to 20 characters!
5. Same warning would be generated for a password consisting of 11 non-ascii characters that would occupy 2 bytes instead of 1 each. E.g "ąęąęąęąęąęą"
Users will be confused when they change their passwords because they count non-ascii characters the same as ascii.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms