Cannot sign-up to QuickFile or login when using "complex" passwords

zeeshan · 8 February 2018 17:18

Hi,

I am trying to sign-up to QuickFile for another one of my businesses and I use a password manager to handle my password management. This allows me to enforce unique and rather complex passwords across all services without remembering the passwords myself.

During the QuickFile sign-up process, I was asked for a password, my password generator suggested this:

4(5J)2wmYvxMdGS\9Ns3cj"uDiT<GT|\<4u}L"

This is a 40 character password that uses A-Z, a-z, 0-9, underscores, dashes and other symbols. Once I submitted the sign-up application process to get to the next stage, I encountered an HTTP 500 error.

To fix this issue as a customer/user, I was forced to reduce my password complexity to deal with the error. This is not ideal and gives a bad impression of QuickFile’s infrastructure.

Being a software engineer myself, I’m am now under the impression that QuickFile isn’t consuming passwords safely and therefore one or more of the escape like characters broke the back-end.

You can duplicate this error by also using this very same “complicated” password during the sign-in process, regardless if that is indeed your password. You’ll trigger a HTTP 500 error:

QFMathew · 8 February 2018 19:01

Hello @zeeshan

Firstly, I’d like to assure you that passwords are handled and stored safely. However, I suspect that something in the string itself has triggered a security procedure and caused the issue in this instance.

I have asked an engineer to look at this.

Glenn · 8 February 2018 19:34

Your password is triggering an OWASP rule. This is a built in defence against XXS attacks, by default the framework we use (.NET) looks for form vars containing tags and will throw a 500 error with anything suspicious. Removing or substituting the chevrons will ensure that the validation is passed.

So in regards to the way we consume passwords it’s absolutely safe, resolving this issue would actually involve relaxing the security by removing the XXS checks. That said it’s likely we can do this without causing any issue on the login and registration page. But in the mean time I would suggest using a password without chevrons.