Recently I suffered from a fault in the ‘Palemoon’ browser which meant that I needed to reset my password on the GCA site.
From my account preferences page, I asked the site to send me a password reset link.
When I used the link, I chose to use the existing password.
The form does not echo the password on the screen (although it does echo one character for each character in the password, which itself is enough to tell anyone how many characters are in the password) but of course I know what I’ve typed - as would anyone else using the form. If I were coding the page I would take steps to make it difficult to know the length of the password from what’s echoed on the screen - thus leaking less information to a potential attacker.
Having typed the password, the form refused to accept it and gave a message saying that it was the same as the existing password.
That seems a trifle dangerous to me. In any case I’m not convinced that replacing a password with itself is inherently dangerous, but if I’d coded it, and Management insisted on the restriction, I’d rather have it simply say that the password was not acceptable without saying why - again leaking less information.
I tried again, choosing the password 1234567890. The site told me the password “looks good”. How many of us would agree with that? How many have chosen that exact password on this site, or some other site, or both?
In general I’d eliminate the word ‘password’ from the entire site, replacing it with ‘passphrase’, and I’d insist on something which looks like a passphrase - not just a single word - unless it’s a really good single word which doesn’t even resemble a single word.