Fedora login bug: Having a 128 character password breaks OTP and will lock users out of account

Hello, I lost access to account barley3126@fedoraproject.org on Fedora Accounts because it has a 128 character password and I enabled OTP. Now whenever I try to log in, it says that credentials are invalid even though I was meticulous in storing the OTP and password. I created this account, tested it and the same thing happened (I made sure to keep my account open in another browser to be able to change the password). It seems that passwords up to 90 characters don’t break OTP but at some point beyond that, the website will return a credentials error prompt on login if OTP is enabled. I tested on both Librewolf and Brave.

1 Like

I’m not sure if this should be a bug report in Noggin, or if it is an issue with FreeIPA. The answer to that question probably redirects where we should land this report:

In the meantime, are you able to log into Pagure and open a Fedora Infrastructure help ticket? This is the best way to flag the attention of the Fedora Infrastructure team and help them bring a resolution for you with your main account:

https://pagure.io/fedora-infrastructure/issues

4 Likes

Done, since this is an account security related issue, I opened a private ticket. Thanks for the help. :slight_smile:

1 Like

From FreeIPA side we support up to 1000 character long passwords. However, since OTP authentication relies internally on RADIUS exchange that might cause an issue here. I think this bug should be opened against FreeIPA.