Misleading error message: Your account couldn't be accessed because the current password is not secu

Misleading error message: Your account couldn't be accessed because the current password is not secu

James_Herrieven
Tourist
4 0 4

Some of our customers are being presented with the following error message when they try to sign in to their Shopify account on our store:

 

Your account couldn't be accessed because the current password is not secure. You will receive an email to update your password.

There are two major failings with this:

 

  1. They don't automatically receive an email to prompt them to update their password.
  2. Even if they do go through a password reset process and change their password to a ridiculously secure password, after changing it, and then attempting to sign in again, the same error message is repeated.

It appears that the actual issue might be down to Shopify's reliance on the "Have I Been Pwned" service to determine that an email has been compromised and rendering it unusable - by appearing in too many (8? 9? 10? who knows!) data breaches.

 

Once this situation has occurred, the only way (we have found) to get into the account again is to have an Admin change the customer email address for their account to a completely different one - but identifying the issue in the first place is proving to be tricky because the error message is a misleading nonsense.

 

It would be great if someone from Shopify could clear up:

 

  • what metrics are being used to result in this problem occurring (number of HIBP breaches?)
  • how the error message relates to the situation - because it doesn't!
  • and importantly, how we are expected to handle a customers account which becomes bricked because HIBP says it has appeared on a breach list x number of times?
Replies 3 (3)

Daniel_McClen
New Member
4 0 0

Having the same issue! Chatting to Shopify they aren't offering any solution. How many customers are we losing because they are giving up logging in to their account!

James_Herrieven
Tourist
4 0 4

Got this from a Shopify Support Advisor via direct chat on 8th April:

 

I was able to find several tickets from other Shopify merchants that described the problem in the same way you did, so it's something that's been noticed for several months.

 

After doing more reading on our customer credential validation process, and checking in with our technical team, I can confirm that this is a feature and not a bug.

 

Shopify checks for vulnerable credentials when a customer attempts to login. These credentials are defined as an email + password combo that is known to have been leaked by another company and made available to bad actors, exactly as you hinted at in the Community post you shared.

 

Although I can see how this might cause annoyance for you or your customers, ultimately, it's in their best interest to not use compromised credentials, since most people (unadvisedly) use the same password for many different accounts.

 

Based on the size of your business, and the number of new accounts that have been created over the last 8 months, it's my opinion that 50 or so instances of this flag is actually a very reasonable number.

 

It's possible to see the flagging of these credentials as a net positive for you and your customers.

 

All that said, I can completely understand if you believe this validation process is a detriment. If you're interested, I'd be happy to submit an option to "opt out" of validation as feedback to our product development team. This is where we gather suggestions from merchants in terms of creating/adjusting features and services. I can't guarantee a timeline on any individual change, but we take these suggestions very seriously - particularly when multiple people make a similar request. We rely on open, honest feedback from our merchants to help Shopify grow and improve, and I'd be happy to include your voice.



From my point of view, it does appear that people are now getting an update password email, and following this process appears to resolve the issue.

 

I say "appears" simply because without customers taking the time to provide feedback to us, we are in the dark as to how widespread an issue this is, and whether it has actually been resolved by Shopify or not.

For those situations where a customer account is still bricked after a secure password change, the solution seems to be to change the customer email to a dummy (non-existent) email address, and then immediately back to the original email address. As at the time of writing at least, that appears to work!

KevinTing
Visitor
1 0 0

"Change the customer email to a dummy (non-existent) email address, and then immediately back to the original email address" is still the only solution?

Change to a non-exist one then change back.