- Blind mode tutorial
lichess.org
Donate

How could I know if my password has been changed (by someone else) ?

#1

Hi, how could I know if my password has been changed, as I couldn't login because of "Invalid username or password" - (tried many times, no typing error) ?
Then I Logged in by email, then changed my password with the same password (typed current and new password the same string - the result should be as it is not changed), after which I can login with the same password normally.
I think even if my password had been changed, I couldn't change it in the way I did - it should complain about wrong "current" password, shouldn't it ?

Any explanation of this phenomena?

Hi, how could I know if my password has been changed, as I couldn't login because of "Invalid username or password" - (tried many times, no typing error) ? Then I Logged in by email, then changed my password with the same password (typed current and new password the same string - the result should be as it is not changed), after which I can login with the same password normally. I think even if my password had been changed, I couldn't change it in the way I did - it should complain about wrong "current" password, shouldn't it ? Any explanation of this phenomena?
#2

Did you have a really bad password before? On the browser you might have seen "This password is too easy to guess. Request a password reset email" when trying to log in. You can see some relevant commit's here : https://github.com/lichess-org/lila/commits/2bf5afb7febd727086e8246c1f146d2cbf023fbf/modules/security/src/main/SecurityApi.scala

Did you have a really bad password before? On the browser you might have seen "This password is too easy to guess. Request a password reset email" when trying to log in. You can see some relevant commit's here : https://github.com/lichess-org/lila/commits/2bf5afb7febd727086e8246c1f146d2cbf023fbf/modules/security/src/main/SecurityApi.scala
#3

I did it different way - "Log in by email"(an option at the bottom of the login page), then changed the password with the same password, by settings , as I described in the first post, so there is no problem with the login now, remains the question, which is a problem as well, but different.
It's a medium strength password, but this is not bearing on the question, which is not "the probability of being hacked", but:

Why, for the same password, "login page" said "invalid", but "password change page -->current password" - no problem?
Why the problem disappeared after I changed the password with the same password, which is not a change actually?

I would have been happy if there was a log of password change history, but I can't find such feature.

I did it different way - "Log in by email"(an option at the bottom of the login page), then changed the password with the same password, by settings , as I described in the first post, so there is no problem with the login now, remains the question, which is a problem as well, but different. It's a medium strength password, but this is not bearing on the question, which is not "the probability of being hacked", but: Why, for the same password, "login page" said "invalid", but "password change page -->current password" - no problem? Why the problem disappeared after I changed the password with the same password, which is not a change actually? I would have been happy if there was a log of password change history, but I can't find such feature.
#4

Today I can not log in with my password again, I logged in by "Log in by e-mail", and will not try changing password for a while, hoping some admin check whats happening, as I can not see an option to check my change pass history, which also may be taken as a request for such an option.

Today I can not log in with my password again, I logged in by "Log in by e-mail", and will not try changing password for a while, hoping some admin check whats happening, as I can not see an option to check my change pass history, which also may be taken as a request for such an option.
#5

I realize my explanation was technical and maybe not the easiest to understand. But I will try again :

Lichess now prevents users from using really weak password (ie. stuff like "password" or "123456" ) . If you had a weak password, lichess would require you to log in with email and change the password. In which case, your password was never changed, but a the normal login was prevented.

If you can log in normally now, and have changed your password, then there is nothing more to worry about. I (obviously) don't know you actual password, so I have no clue if it was "weak" or "medium". But the timing of your post, very strongly suggest lichess found it to be weak.

Why, for the same password, "login page" said "invalid", but "password change page -->current password" - no problem?
Maybe you had a whitespace in your password? In which case, it's been fixed by : https://github.com/lichess-org/lila/commit/a3f1b08b593aad72383f4e1d02f93916d1cef8df

I can not see an option to check my change pass history, which also may be taken as a request for such an option.
Independently, this might be a reasonable feature request that you could put on github. You can also see information about logged in devices here : https://lichess.org/account/security

I realize my explanation was technical and maybe not the easiest to understand. But I will try again : Lichess now prevents users from using really weak password (ie. stuff like "password" or "123456" ) . If you had a weak password, lichess would require you to log in with email and change the password. In which case, your password was never changed, but a the normal login was prevented. If you can log in normally now, and have changed your password, then there is nothing more to worry about. I (obviously) don't know you actual password, so I have no clue if it was "weak" or "medium". But the timing of your post, very strongly suggest lichess found it to be weak. >Why, for the same password, "login page" said "invalid", but "password change page -->current password" - no problem? Maybe you had a whitespace in your password? In which case, it's been fixed by : https://github.com/lichess-org/lila/commit/a3f1b08b593aad72383f4e1d02f93916d1cef8df > I can not see an option to check my change pass history, which also may be taken as a request for such an option. Independently, this might be a reasonable feature request that you could put on github. You can also see information about logged in devices here : https://lichess.org/account/security
#6

Do we have 2fa here on lichess? I cant find it.

Do we have 2fa here on lichess? I cant find it.
#8

@TBest said in #5:

Maybe you had a whitespace in your password? In which case, it's been fixed by : github.com/lichess-org/lila/commit/a3f1b08b593aad72383f4e1d02f93916d1cef8df

This answers all my questions, the remaining is feedback:

That exactly is the case - it has trailing space, and the authentication system seems still buggy about such cases :

  1. It let me in when I typed my password without trailing space, which is not the correct password actually.
  2. It let me change my password after I type the old password without trailing space(which is not the correct password) - initially it said "invalid password" when I typed it correctly - with trailing space.
  3. It let me set the new password which is exactly the same as the old password - with the trailing space, while it shouldn't allow setting passwords with leading and trailing spaces, if it won't going to accept them afterwards, BUT, for my surprise:
  4. I can log in with this password now, typing it correctly - with the trailing space, and can not log in when type it without the trailing space.
@TBest said in #5: > Maybe you had a whitespace in your password? In which case, it's been fixed by : github.com/lichess-org/lila/commit/a3f1b08b593aad72383f4e1d02f93916d1cef8df This answers all my questions, the remaining is feedback: That exactly is the case - it has trailing space, and the authentication system seems still buggy about such cases : 1. It let me in when I typed my password without trailing space, which is not the correct password actually. 2. It let me change my password after I type the old password without trailing space(which is not the correct password) - initially it said "invalid password" when I typed it correctly - with trailing space. 3. It let me set the new password which is exactly the same as the old password - with the trailing space, while it shouldn't allow setting passwords with leading and trailing spaces, if it won't going to accept them afterwards, BUT, for my surprise: 4. I can log in with this password now, typing it correctly - with the trailing space, and can not log in when type it without the trailing space.

This topic has been archived and can no longer be replied to.