Bug 2413086

Summary: WebUI: Password is too weak
Product: [Fedora] Fedora Reporter: Lukas Ruzicka <lruzicka>
Component: anaconda-webuiAssignee: Katerina Koukiou <kkoukiou>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: 43CC: a.badger, abdo.h.eldaly, alpha, anaconda-maint, benji97, devthalles, j3susangar1ca, kkoukiou, kparal, lexden.s, mkolman, psklenar, robatino, rvykydal, schtone, seideys, w
Target Milestone: ---Keywords: CommonBugs
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard: https://discussion.fedoraproject.org/t/172029
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2362357    
Attachments:
Description Flags
journal.log
none
anaconda_webui.log none

Description Lukas Ruzicka 2025-11-06 12:50:13 UTC 
This is an automated report that originated from trying to reproduce bug 2389356.

Installer WebUI Critical Error:
Password is too weak

StackTrace: Error: Password is too weak
    at Function.<anonymous> (http://127.0.0.1/cockpit/@localhost/anaconda-webui/index.js:34:169536)
    at rQ (http://127.0.0.1/cockpit/@localhost/anaconda-webui/index.js:8:78626)
    at http://127.0.0.1/cockpit/@localhost/anaconda-webui/index.js:8:78823
    at eQ (http://127.0.0.1/cockpit/@localhost/anaconda-webui/index.js:8:77659)

Bitte hängen Sie Logdatei /tmp/journal.log an das Problem an.

---[ System & Environment Information ]---
OS: Fedora Linux 43 (KDE Plasma Desktop Edition)
Anaconda version: 43.44
Anaconda UI version: 53.14.g7ea927aa



Reproducible: Always

Steps to Reproduce:
1. Download Fedora KDE 43.
2. Start installation.
3. Choose German language (Deutsch) and German keyboard layout (Deutsch).
4. When asked, confirm to encrypt disk.
5. For password, try using "pwvonroot".
Actual Results:
Anaconda WebUI will crash immediately with an error "Password too weak".

Expected Results:
Anaconda should not crash. If it does not want to create a weak password, it should gracefully inform users about it and let them recreate the password.
Comment 1 Lukas Ruzicka 2025-11-06 12:51:20 UTC 
Created attachment 2112948 [details]
journal.log
Comment 2 Lukas Ruzicka 2025-11-06 12:51:58 UTC 
Created attachment 2112949 [details]
anaconda_webui.log
Comment 3 Fedora Blocker Bugs Application 2025-11-06 13:43:43 UTC 
Proposed as a Blocker for 44-beta by Fedora user lruzicka using the blocker tracking app because:

 I propose this as a blocker, because Anaconda crashes with weak passwords to encrypt the disk, which I believe violates

https://fedoraproject.org/wiki/Fedora_44_Beta_Release_Criteria#Custom_partitioning
Comment 4 Lukas Ruzicka 2025-11-07 10:14:33 UTC 
Yesterday, I have spent some time to look closer into this problem with the following findings:

1) The problem can only be reproduced on KDE. You can always trigger the crash using `pwvonroot` and `pwvonroo` passwords, however `bwvonroot`, for example, does not trigger it, nor does it `rootice`. Originally, I thought that the string `root` causes the problem, but it has been confirmed that `root` itself as part of the password cannot trigger the situation.
2) Anaconda not only crashes on the disk encryption pane, but on every password field where the "correct" password is used.
3) The crash happens immediately after the user stops typing the first password. It does not let users to retype the password, nor it lets users to proceed to the Next pane.
4) Anaconda uses the Cockpit backend to provide passwords strength and Cockpit backend uses the `pwscore` program to evaluate the passwords. I have tried manually with pwscore with the following results:
    * pwvonroot -> 15
    * pwvonboot -> 18
    * pwvonroo -> 0
    * pwvonboo -> 3
    * rootice -> Error in the password quality, password shorter than 8 digits
    * weakpassword -> 62
    * rootvonpw -> 15

I am not sure why 'pwvonboot' passes and 'pwvonroot' does not. Also, 'pwvonroo' crashes and 'pwvonboo' does not. 'rootvonpw' does not crash, 'pwroot' does not crash, 'rootpw' does not crash.
Comment 5 Lukas Ruzicka 2025-11-07 10:18:08 UTC 
Also, the Accounts.jsx file includes a list of reserved words (https://raw.githubusercontent.com/rhinstaller/anaconda-webui/refs/heads/main/src/components/users/Accounts.jsx), but the ones I have tested, such as 'daemon', 'rootsync', etc. do not crash and can be used as passwords.
Comment 6 Lukas Ruzicka 2025-11-10 10:06:01 UTC 
I have also checked XFCE, LXDE, and LXQt and I can confirm that this is easily reproduced on all of them. It seems it might be the issue on all of spins, but on Fedora Workstation.
Comment 7 Lukas Ruzicka 2025-11-10 10:35:35 UTC 
I could not reproduce it on KDE Rawhide from 20251110.
Comment 8 Petr Sklenar 2025-11-10 12:11:45 UTC 
Documented as common issue: https://discussion.fedoraproject.org/t/172029
Comment 9 Katerina Koukiou 2025-11-19 12:31:20 UTC 
*** Bug 2389356 has been marked as a duplicate of this bug. ***
Comment 10 Katerina Koukiou 2025-12-04 13:26:47 UTC 
*** Bug 2406958 has been marked as a duplicate of this bug. ***
Comment 11 Katerina Koukiou 2025-12-04 13:26:49 UTC 
*** Bug 2417765 has been marked as a duplicate of this bug. ***
Comment 12 Katerina Koukiou 2025-12-09 06:46:08 UTC 
*** Bug 2420040 has been marked as a duplicate of this bug. ***
Comment 13 Katerina Koukiou 2025-12-09 12:49:23 UTC 
*** Bug 2411732 has been marked as a duplicate of this bug. ***
Comment 14 Katerina Koukiou 2025-12-22 07:42:09 UTC 
*** Bug 2424130 has been marked as a duplicate of this bug. ***
Comment 15 Seideys 2026-01-02 03:13:15 UTC 
*** Bug 2425389 has been marked as a duplicate of this bug. ***