Contrib.social

Remove typed password from the error messages

Open on Drupal.org →
Created on 2 October 2025, 20 days ago
Updated 16 October 2025, 6 days ago

Problem/Motivation

When the password fails to comply to Zxcvbn's criteria, error messages are displayed to help the user to produce a stronger password. The problem is that these messages currently contain the typed password what can be a security issue if someone else is currently looking at the screen.

Steps to reproduce

  1. Install the module
  2. Go to the user edit form
  3. Fill the form and type "abcd" in the password and password confirm fields.
  4. You can see the "abcd" password being displayed in the error messages

Proposed resolution

Alter error messages to remove the typed password.

📌 Task
Status

Fixed

Version

2.2

Component

Code

Created by

🇫🇷France duaelfr Montpellier, France

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

No activities found.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024