Everything I do here is extremely repeatable. If you need more details or testing, let me know and I will get on it. The only input Zoho gives on passwords, aside from claims that Zoho's handling of passwords is "more secure" -- can you define your terms here? -- on an advert on the home page, is the following advise from the reset password page.
Notes :
- Password should contain 8 to 250 characters.
- Use mix of Uppercase/Lowercase letters, Numerals and Symbols.
- Do not use username or part of your e-mail address before the @ symbol.
Whenever I attempt a lengthy password, I am informed that what I am attempting is invalid. Here are some examples of failed attempts:
- ëµA¡$Hmý½7föô97N1f²2í8»Ê©®¤ih³Æàõtn¥å×xÎÕrp´pDssßV¨ÝgXÐÞErÉÖtG8«GÚX¦Z¯tp+ÝØävcqEéÓwqûþV¯ÖÐ_«Çlè+Ð#ÅðQKñ»vs¸òX!hêjrúLiµú©dG-5À¾Óä¡ùÊbûK°ïnîò¼®RzäøMÓfÏmOµd¤üÊmÊO_®ÿv¶îd-ýó§®ÿÐûv5À÷¤UGcVk8Z@@yÄÿ¬8bÞû©8½³
- keyX4j5pzrHdsa5R`0lpeq^jBUYm/#gC#vD/#vdZAVIVYR?ByntAFI%k/dyv#RlTvF|XR$N&f`!=X|ZOpEZ8gF?/O;,|B7jzAv8#\i.eY5/^ntD+%9c=4efu$yAMSl`f%P`cQMmSN`?Fb%|X3Kk8Xc
- ug\-|SA5U8t0Hmi|8/RmZjGIKH5HK&\@=--f504GUU&wx_tN0|NJaXcfqHhc5Hbj7Ui?i7!UETmd\_R6uZ%0WxT_OFzB|vEE$Kz%mkJ!L&|CQ&CVN%Quh$3kxd#i|uOQ#sQ9@SEf?0!_xY^jrfZ&dK
Because the password guidelines referenced the @ symbol as something that could cause failure, I removed it from one of the attempts like so:
- ug\-|SA5U8t0Hmi|8/RmZjGIKH5HK&\=--f504GUU&wx_tN0|NJaXcfqHhc5Hbj7Ui?i7!UETmd\_R6uZ%0WxT_OFzB|vEE$Kz%mkJ!L&|CQ&CVN%Quh$3kxd#i|uOQ#sQ9@SEf?0!_xY^jrfZ&dK
I received the exact same failure notification. Some more testing revealed that it would allow me to submit
but would not accept either of these
- Ó[48´^´YK9Êv/ª'ãÛfx;ÖF³PèP{Ï3K¿¾ØD*r½þȽ!Fy'([-ݳþÌX±+ìð~;ç/18|ATá¹%.DéÃÒ51áÔty×Ìõ_>ýCëXüð
- ¦A>æßý7êóÈ_0ò/hêä+A¡<-~o§·9&¹Ðø-räèÞ¼Ró)Ñ_DÎ/Bi»IÅÛ¤Åg~hú-ø³Àve©¥Ë´q[ÍþÕòëH.
I then tested a medium length password with only capitals, lowercase, numbers and special characters allowed in the accepted password,
- QOW8mû7_Ìw®vϳBPMWR5ÔOÔmkOap¶WoQIUcUPjsËFZiu¢xcfI@®ZYrJô4j8z³Ë30û®¶yJý
which also failed.
To test for length, I provided another failed attempt at lengthy passwords with only capitals, lowercase and numbers:
- 5NSARFLyQm7ao8hmkpOWquV6M6QEc2yBJwngRJxbXhfz1EmEhLmihdbCnNHj8V1brlNa4ZVM0d1SPdRkE4NY9SKLd9lH0eALYhYo45BOOVrL48vAXbdOxXq8veRZMDSDzulmgKLLcjlGlhcCQc7cueKcdDVUR8bbXr1ZEMT1VQhYgXCLJnh8GrIfVUIQrBNLEKznjchC
- 5NSARFLyQm7ao8hmkpOWquV6M6QEc2yBJwngRJxbXhfz1EmEhLmihdbCnNHj8V1brlNa4ZVM0d1SPdRkE4NY9SKLd9lH0eALYhYo45BOOVrL48vAXbdOxX
At this point, server response doesn't seem to line up with suggested password guidelines. I would like to know the guidelines as they actually operate, so that I can automate my password generator, which maximizes possible bits of entropy in passwords, to work with Zoho.
Please respond quickly. I consider this confusion a security issue, and I consider my current password temporary and insecure. On top of all of that, Thunderbird is saying that this new password, which works with the Desktop GUI, is invalid. I need a permanent solution quickly.