id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
10714	Bail out from password reset for invalid keys	wet		"The key protecting the password reset event is [http://core.trac.wordpress.org/browser/trunk/wp-login.php?rev=11874#L155 a string of a known length of characters from a known character set]. 

Nevertheless, on the receiving end WordPress tries to [http://core.trac.wordpress.org/browser/trunk/wp-login.php?rev=11874#L188 filter out invalid characters] from the key despite knowing that these must not be there in the first place. 

I suggest to simply refuse working with invalid keys and handle that as an error condition.
"	enhancement	closed	normal		General	2.8.4	normal	wontfix