I presume that the code was tested for various cases where there was at least one previous password on record, but everyone forgot about new users with no previous passwords. However I'm having trouble imagining what the code could actually be doing.

I can only imagine a dynamically typed language, and a "checkedPasswords" variable being declared but uninitialized, then a loop incrementing that variable for each non-similar password pulled from the records, and finally a check to see if checkedPasswords equals the number of stored previous passwords.

The execution environment could type and initialize the variable by default after the first increment, but in the case of the user having no previous passwords on record that wouldn't happen, and the final equivalency check would be comparing an integer to some internal "NaN" state, thus failing.

[–] squaresinger@lemmy.world 5 points 2 days ago (1 children)

I'd rather guess that it's the wrong error message. Like e.g. there's a communication error with a downstream service and they just catch Exception broadly and convert it to this error message. That would also explain why the non-filled value defaults to 0.

We had something similar where there was a check that checks whether the password is the same as the user name, but then it showed the "Password is too short" message to the user instead because of an overly broad try-catch.

[–] sukhmel@programming.dev 3 points 2 days ago

Also if the user is not yet registered, reset password shouldn't work, as there is no password to reset, maybe that's the real error. Or the counter is wrong

[–] Cethin@lemmy.zip 1 points 2 days ago

Isn't the most obvious just an off-by-one error? It checked the 0th position in the array of former passwords, and output the index as the output. We start at index 0 while programming for the first entry in an array.