SecureLogin Change Password dialog accepts null (empty) password

  • 7003018
  • 15-Apr-2009
  • 26-Apr-2012

Environment

Novell SecureLogin
NSL6.1
NSL6.1.0.014
Application dialog includes "ChangePassword" command

Situation

Change password dialog accepts empty "New Password" and "Confirm Password" fields
It is possible to click "Ok" with nothing in the "new password" field.
When this happens a password of <NOTSET>is created.

Steps to duplciate:

- Application definition calls ChangePassword command, change Password dialog is presented.
- Enter something in the "New password" box AND THEN DELETE what was typed, leaving nothing in the "New password" field.
- Click OK (without entering anything in the "confirm password" box).
- SecureLogin accepts the null password; "Manage Logins" shows the new password to be <NOTSET>


This does not happen when adding a new password. If no password exists for the application it is not possible to enter something in the password box, delete
it and click ok. In this case SecureLogin will continue to prompt until a valid password is entered.



Resolution

Fixed in NSL6.1sp1 HotFix2

Workaround is to add a "RestrictVariable" command to the application definition script and apply a
password policy requiring the new password to have at least X number of characters.

Use "RestrictVariable" as follows:
1. Create a new Password Policy in Manage Logins (Right click SecureLogin "hand" icon in the system tray and select "Manage Logins" .
  - Right click on "Password Policies" and select "new."
- Enter something in the "Minimum Length" box at the top of the list of requirements for the new password policy.
2. Add a line in the script that associates the newly created password policy with the new password, as follows:
RestrictVariable ?PasswordNew "PasswordPolicyName" (note the quotes around "PasswordPolicyName" are required.)
Note also that ?PasswordNew in this example is used as a temporary variable to hold on to the newly changed password until the new password has been successfully committed to the directory.
See the online documentation for more explanation of the RestrictVariable and ChangePassword commands.