Inline Password Change Accepts Bad Passwords

    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth IdP Version Affected: Up to 9.0.1



    A user has a realm that utilizes inline password change. The inline password change workflow forces a user to change a password that is expiring soon.

    If the user successfully enters the correct (or temporary) password that is expired (or expiring), the user can update their password.

    However, if the user enters a bad password, it still lets them through to enter their new password, but the bad password is cached, and changing the password fails. At this point, the user must completely restart the inline password change process, verifying that the password they are entering is correct.


    This is a bug. Only the username is scanned for validity in the first phase. It does not carry the password over to the next phase for verification (this is the bug.) This username and password must be separated out (username and password on different pages), which we will get to in the resolution.


    Change the authentication mode in the workflow tab from Username/Password (on same page), to Username/Password (on separate pages). In newer versions of the IdP, Username/Password on separate pages looks like "Username | Password," with the pipe symbol signifying different pages.

    1. Go to your SecureAuth IdP Administrator Console
    2. Select the realm in which you are configuring this for
    3. Go to the workflow tab
    4. In the workflow tab, scroll down to find the workflow section
    5. Change "Authentication Mode" to Username/Password (on separate pages)

    Another way to resolve this issue is to upgrade to 9.0.2.


    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products

    0 out of 0 found this helpful



    Please sign in to leave a comment.