Inline Password Change Accepts Bad Passwords


SecureAuth IdP Version Affected: Up to 9.0.1



A user has a realm that utilizes inline password change. The inline password change workflow forces a user to change a password that is expiring soon.

If the user successfully enters the correct (or temporary) password that is expired (or expiring), the user can update their password.

However, if the user enters a bad password, it still lets them through to enter their new password, but the bad password is cached, and changing the password fails. At this point, the user must completely restart the inline password change process, verifying that the password they are entering is correct.


This is a bug. Only the username is scanned for validity in the first phase. It does not carry the password over to the next phase for verification (this is the bug.) This username and password must be separated out (username and password on different pages), which we will get to in the resolution.


Change the authentication mode in the workflow tab from Username/Password (on same page), to Username/Password (on separate pages). In newer versions of the IdP, Username/Password on separate pages looks like "Username | Password," with the pipe symbol signifying different pages.

  1. Go to your SecureAuth IdP Administrator Console
  2. Select the realm in which you are configuring this for
  3. Go to the workflow tab
  4. In the workflow tab, scroll down to find the workflow section
  5. Change "Authentication Mode" to Username/Password (on separate pages)

Another way to resolve this issue is to upgrade to 9.0.2.

0 out of 0 found this helpful



Please sign in to leave a comment.