Jari Turkia

Qualys FreeScan user account password

Discussion created by Jari Turkia on Mar 30, 2012
Latest reply on Apr 18, 2012 by Robert Dell'Immagine

The FreeScan user registration is a joke!

 

In the form it states:

Create Password (8-12 characters)

 

I'm using a password vault software to store my passwords. It generates random ones on a button click. I clicked and got a nice 15 character password. The form gave me an error, which is obvious. There were too many characters. WHAT #1?! Yeah, sure. According to this security company it not ok to have proper passwords.

 

The fix for that is easy, just remove the last 3 charcters and it should comply with the length limitation. New try and:

Password must be more than 8 characters and must contain at least one number or special character.

WHAT #2?! My password has more than 8 characters. It has at least one number and special character.

 

Without compromising my security, I can reveal that the 15 character password I attempted to use was: l0olo;8^h!WGQQB

It should easily be acceptable in any policy. Funnily enough, similar random password is ok for this forum. WHAT #3?! Consistency?

 

Little bit of de-obfuscating their minified JS-code reveals, that the real password policy is checked with following regexp:

/(?!^[0-9!@#$]*$)(?!^[a-zA-Z]*$)^([a-zA-Z0-9!@#\$%\^&\*]{8,200})$/

 

The cryptic string translates as:

  • The password length is from 8 to 200 characters.
  • There must be characters from two groups:
    • alphabet: a-z A-Z
    • numbers: 0-9  any of the following special characters: !@#$%^&*

 

It was the semicolon in my password. It is not in group of allowed special chars. WHAT #4?! If you require special chars, why your error message does not state that?

 

Qualsys: fix that, please.

 

Regards,

Jari Turkia

Computer security enthusiast

Outcomes