Can't log in to Admin - password expired

[hairydog]

On a Zen cart site running 1.5.4 (upgraded from 1.5.1 a while ago, from 1.3.9 even longer ago) and it is not possible to log in to the admin. When I first tried, I had to change my password (I have to do this every time I log in, because I rarely access the site). This time it rejected my replacement password, so in the end I gave up and edited the password in phpmyadmin.

So now I can get as far as changing my password, but it immediately tells me that the brand new password has expired. The date of the password is correctly recorded in the database.

What I really want to do is remove the stupid password expiry altogether. It reduces the security of the system and is a thorough nuisance. I have two other sites still on 1.3.9 because the clients consider the expiring passwords to be an unacceptable security risk.

I don't want a discussion of whether removing the expiry is a good idea. I just want to know how to remove it.

Failing that, how can I get the system to stop expiring it immediately?

[mc12345678]

Trying to understand something. Are you saying that you have to change the password every time you login even if you logged in just minutes ago?

How was this upgrade performed?

It seems like there is a bigger problem than the expiry part which should allow you to go significantly longer between password changes. Having to change the password after every login with a login occurring possibly daily certainly is not the intended function.

[hairydog]

Trying to understand something. Are you saying that you have to change the password every time you login even if you logged in just minutes ago?

How was this upgrade performed?

It seems like there is a bigger problem than the expiry part which should allow you to go significantly longer between password changes. Having to change the password after every login with a login occurring possibly daily certainly is not the intended function.

Thanks for your reply. It was worse than that. It asked me to change the password when I tried to log in, then after I had changed it, refused to let me log in with my new password because the password had expired. So it wasn't possible to log in at all.

The database was correctly recording the date and time of the last password change. I changed the config setting to stop admin account passwords expiring every 90 days but that didn't make any difference.

The upgrade from 1.5.2 (I think; perhaps it was 1.5.3) was simply done by overwriting all the files and running the sql patch. But that was done a month or more before this problem arose, and logins did work in the meantime.

My suspicion is that there was an issue with date formats. But what I have done is to re-install the upgrade by downloading and overwriting all the files again.

This seems to have resolved the login issue (I made sure to overwrite EVERY file), but I notice that this has reverted the date format to the brain-dead US format of MM-DD-YYYY. I've left it like that to see if the logging-in issue is sorted, though I shall want to change it to DD-MM-YYYY at some point.

I've left the config setting to stop admin account passwords expiring every 90 days. I'll have to wait 90 days to find out whether that really worked, of course!

[Ajeh]

When you say that you changed the password via phpMyAdmin, have you used passwords that are not in the list of the last 4 passwords used?

Have you updated the date of the password in the field:
pwd_last_change_date

so that the date is current?

[hairydog]

When you say that you changed the password via phpMyAdmin, have you used passwords that are not in the list of the last 4 passwords used?

Have you updated the date of the password in the field:
pwd_last_change_date

so that the date is current?

I didn't say that I changed the password in phpmyadmin. I changed it in the login page using the password change fields. And the password WAS updated, as was the password date field.

Reinstalling all the files has fixed the problem, so I can't replicate it now, but I suspect that there was an issue in a date parsing function. The problem did not arrive when any Zen Cart files were changed, but it may have been related to a new version of php or mysql (though actually, I think that server uses mariadb instead). That box runs debian jessie and is updated regularly.

Reinstalling the Zen Cart files has set the date format back to US settings. I haven't dared to change it back to UK format yet.

[mc12345678]

Thanks for your reply. It was worse than that. It asked me to change the password when I tried to log in, then after I had changed it, refused to let me log in with my new password because the password had expired. So it wasn't possible to log in at all.

The database was correctly recording the date and time of the last password change. I changed the config setting to stop admin account passwords expiring every 90 days but that didn't make any difference.

The upgrade from 1.5.2 (I think; perhaps it was 1.5.3) was simply done by overwriting all the files and running the sql patch. But that was done a month or more before this problem arose, and logins did work in the meantime.

My suspicion is that there was an issue with date formats. But what I have done is to re-install the upgrade by downloading and overwriting all the files again.

This seems to have resolved the login issue (I made sure to overwrite EVERY file), but I notice that this has reverted the date format to the brain-dead US format of MM-DD-YYYY. I've left it like that to see if the logging-in issue is sorted, though I shall want to change it to DD-MM-YYYY at some point.

I've left the config setting to stop admin account passwords expiring every 90 days. I'll have to wait 90 days to find out whether that really worked, of course!

Not really on the 90 day issue. Can manually modify the last change date to something before 90 days would be a test that could be performed. Remember the database date sequence will be constant regardless of how the date will be presented on the store front.

As for "overwriting" what files exist that were not overwritten because they are either part of an older install or a plugin? They too may play a part in the issue (if there really still is one).

[f7dem]

Had similar problem after restoring a database backup. When logging in, the admin page say the password has expired and should be changed, but whenever I type a new password the Admin page keeps telling that the password is not good enough. Then I tried to type in the old password again also and then the new passwords below again then it worked. For some reason it was a wrong password that had been put into the old password field, but because there was some dots in the field I thought the system already had typed it in.

[picandnix]

Had similar problem after restoring a database backup. When logging in, the admin page say the password has expired and should be changed, but whenever I type a new password the Admin page keeps telling that the password is not good enough. Then I tried to type in the old password again also and then the new passwords below again then it worked. For some reason it was a wrong password that had been put into the old password field, but because there was some dots in the field I thought the system already had typed it in.

That sounds more like your browser remembering the old password to me. Which browser are you using? Does the same behaviour occur when using a different browser?