(Old) passwords are still useable, even when changed

j.m.chan
Hi, I lost my keychain with an USB-stick a couple of days ago. I had PortatableFirefox with a comprehensive zotero library on that USB-stick. Fearing the worst, that someone might start editing my library and sync, I started changing my passwords for zotero and webDAV.

What startled me was when I tried syncing with my old zotero password on my work computer; it seems like the old and the new password are working interchangeably!

That is a huge security breach and a bug that must be fixed quickly!

Regards
Mink Chan
  • ajlyon
    edited April 27, 2010
    Do both passwords work for the Zotero.org website as well? Do they only differ in their last characters (i.e., "secretpassword1", "secretpassword1morelonger")?

    [Edit: Lest someone look at this discussion and think that the latter case is an issue, please see Dan's response below; the entirety of passwords is used.]
  • dstillman Zotero Team
    Because of the way sync authentication currently works, old passwords may continue to work for a short period of time. Usually this should be for only a few seconds, but occasionally something breaks and it's a bit longer. (We'll likely be switching to a more robust system in the near future.) The password change affects the website immediately.

    It should be caught up now, and your old password should no longer work.

This is an old discussion that has not been active in a long time. Instead of commenting here, you should start a new discussion. If you think the content of this discussion is still relevant, you can link to it from your new discussion.