Issue of the topic: MainUI admin password length is limited to 10 characters
I recently upgraded to openHAB 3 and things have been going great. Since upgrading, I haven’t had to log in to MainUI–I was logged in when I created the admin user and have been using the same browser for all my admin. Just the other day I lost the session cookie in my browser, so went to log back in and the login page refused to accept my password.
While doing so, I noticed that the console “starred” out only the first 10 characters of my password when submitting the jaas:user-add command and displayed the rest as typed. When I created the admin user, and when I reset the password, I was using an 18-character password. After resetting the password, I tried logging in with the new password and it failed. Remembering that only the first 10 characters of the password were starred out, I decided to submit only the first 10 characters as if that were the password I had set, and I was able to log in.
So, it seems that there’s a 10-character limit on password length for MainUI admin user, whether specified using the MainUI page or the Karaf console, and any other characters are ignored when the password is created or changed, but interfere with logging in. I don’t know if the limit is intentional/desired, but if so, perhaps it should be mentioned in the docs at Getting Started - First Steps | openHAB (and, ideally, enforced with a length limitation in the UI). I haven’t dug into the code to see if it’s a coded limit or just an oversight, but before doing so, I wondered if anyone knew if it was supposed to be that way.
My apologies if this post is in the wrong area of the forum. And I hope it’s not a duplicate topic, either–I tried looking and didn’t see any others mentioning a password length limitation.
I don’t think it’s supposed to be that way so please do file an issue. If possible, the limit should be much larger and if not possible, the UI at least should enforce the 10 character limit and it should be covered in the docs.
As far as I know user management for openhab users is done by using the karaf console commands:
Usage: openhab:users list - lists all users
Usage: openhab:users add <userId> <password> <role> - adds a new user with the specified role
Usage: openhab:users remove <userId> - removes the given user
Usage: openhab:users changePassword <userId> <newPassword> - changes the password of a user
Usage: openhab:users listApiTokens - lists the API tokens for all users
Usage: openhab:users addApiToken <userId> <tokenName> <scope> - adds a new API token on behalf of the specified user for the specified scope
Usage: openhab:users rmApiToken <userId> <tokenName> - removes (revokes) the specified API token
Usage: openhab:users clearSessions <userId> - clear the refresh tokens associated with the user (will sign the user out of all sessions)
You’re completely right. It turns out I did some bad testing. I didn’t vary the password enough. It turned out that it was actually using unescaped special characters in the Karaf console that caused the problem with the 10-character limit (the 11th character needed escaping). Since you can encapsulate the password in quotes in the console, this isn’t really a problem once you figure out that you can/how to do so. I’ve been unable to see any issues when using the web UI to create an initial admin user with any of the special characters I’ve tried. So at this point, I’ll have to assume it was a combination of having the password wrong when trying to log in and then specifying the password incorrectly when changing it using Karaf console.
Thanks for the help Rich and Wolfgang. And sorry for the noise.
It might be worth while adding something to the docs and/or the wizard to list the characters that should be avoided. MainUI could probably also be modified to prevent their use.
I don’t like that you could use a special character and it just silently changes it on you by adding/requiring escaping.
Sorry, I don’t think I explained things well in my last message. Once Wolfgang said it worked for him, I used the Karaf console to set a simple password and it worked well. Then I tried a password with special characters (that caused it to stop “starring out” the password), but this time encapsulated the password in quotes, and it worked well.
So, once I had figured out that there was no 10-character limit if the password is specified properly in the console, I just needed to test the web UI. So, I shut down my openHAB instance, and set up a brand new directory containing a never-before configured openHAB installation. I then started up the new instance and did initial configuration, including creating the admin user, and specified some of the special characters I saw required escaping/encapsulating in the console. When I did, it created the user successfully and the entire password–including special characters–worked. I repeated this about 10 different times (deleting the install and starting from scratch to use the web UI to create the user), trying different characters and character combinations, and in the last attempt used all the special characters I had identified with Karaf console. Every time, the password worked. So I must have actually used the wrong password when I tried to log in to my real instance the first time (meaning the right password probably would have worked, had I actually known which one was right). And the problem only occurred because I incorrectly specified the password in the Karaf console when I tried to reset the password. (BTW, I tried both ‘’‘jaas’‘’ and ‘’‘openhab’‘’ namespaces/commands to change the password in Karaf console, and they both worked.)
There’s a tiny possibility that some combination/number of consecutive special characters in a password may cause a problem, but I think it’s far more likely that I just used the wrong password when I attempted to log in a couple of months after setting up the openHAB 3 instance.
So the only problem was my incorrect use of the console to change the password. I didn’t see any specific mention of changing the admin password or managing UI users with the console (only discussion of setting the console username/password). It may be worth adding some text to The Console | openHAB , either discussing how to manage the admin/UI users or at least mentioning use of single/double quotes to encapsulate strings containing special characters. If you would like one of those, please let me know and I can try to come up with some text for it. Thanks.
