We noticed that it’s possible to bypass the password complexity check using the Change Password application (self service module)
We have a test user and we did try to set the password to abcdefghijklmNOPQRSTUVWXYZ012345 in the System and Domain Settings / Users / Testusers / General, using the password fields.
When trying to save the password, we did get the notification “The LDAP object could not be saved: Password policy error: it is too simplistic/systematic”
Then, we logged out and opened the Change Password App
This app asks 4 different things, username, old password and twice the new password.
We filled in all 4 fields, using the password “abcdefghijklmNOPQRSTUVWXYZ012345” (without the quotes) as new password.
Then, saving this, we did get the configuration “The password has been changed successfully.”
This means it’s possible to set your password to a simple password password, while the settings should prevent this…
Settings in UCR :
password/hashing/method : SHA-512
password/quality/credit/digits : 1
password/quality/credit/lower : 1
password/quality/credit/other : 1
password/quality/credit/upper : 1
password/quality/forbidden/chars : {empty}
password/quality/required/chars : {empty}
The simple password is missing the required “other” characters
The Self Service App installed version is 3.0
Current version of UCS is 4.3-1 errata218