Opened 3 months ago

Closed 8 weeks ago

Last modified 7 weeks ago

#23494 closed defect (bug) (fixed)

impossible to log in with password containing leading or trailing spaces

Reported by: mich1 Owned by: westi
Priority: high Milestone: 3.6
Component: Users Version: 2.5
Severity: major Keywords: needs-patch 2nd-opinion
Cc:

Description (last modified by ocean90)

It is possible to set the password to something containing trailing or leading space characters (e.g. a single space), but the login dialog trims trailing or leading whitespaces. This makes it impossible to log in again.

It seems to me that the behavior of the login dialog is intended (see #15439), thus passwords with leading or trailing spaces should not be allowed.

Steps to reproduce (best with a new user account):

  • log in
  • change your password to something with leading or trailing spaces
  • log out
  • try to log in again. If you set your password to spaces only you will get the same error message as if you entered no password, otherwise you will get the message that the password you entered was wrong.

Note: When trying to create a user with leading or trailing spaces that differs only by those spaces from an existing user name there is an error message that the user name already exists, which is not totally correct. It still might be helpful though.

Change History (7)

comment:1   ocean903 months ago

  • Description modified (diff)

comment:2   SergeyBiryukov3 months ago

  • Version changed from 3.5.1 to 2.5

trim() for password was added in [6643], moved to wp_authenticate() in [10437].

comment:3   westi2 months ago

  • Component changed from General to Users
  • Keywords needs-patch 2nd-opinion added
  • Milestone changed from Awaiting Review to 3.6
  • Owner set to westi
  • Priority changed from normal to high
  • Severity changed from normal to major
  • Status changed from new to accepted

This is kind of sucky because we now have this easy to get into situation:

# Change password to a passphrase with a space on the end or begining
# Lock yourself out and have to go through the password reset dance.

Currently all these users are "locked out" so we don't have to support their passwords but we should either support them by removing the trim in wp_authenticate() or add a trim in wp_set_password to match the other trim so that users can't get themselves into this confusing mess.

Marking for 3.6 as I think we should resolve this sooner rather than later as the use of pass phrases is becoming more common and I am seeing more reports of this issue.

comment:4   westi8 weeks ago

In 1250/tests:

Pluggable Functions: Add some tests for passwords with trailing and leading spaces.

See #23494.

comment:5   westi8 weeks ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 23814:

Pluggable Auth: When setting new passwords for users trim any leading or trailing space to match what we do when we test passwords.

Fixes #23494

comment:6 follow-up: ↓ 7   nacin7 weeks ago

Should we do both in wp_authenticate()? With and without trim? To prevent current bad passwords from not working? Or, since they never worked, is this less of an issue?

comment:7 in reply to: ↑ 6   westi7 weeks ago

Replying to nacin:

Should we do both in wp_authenticate()? With and without trim? To prevent current bad passwords from not working? Or, since they never worked, is this less of an issue?

"Currently all these users are "locked out" so we don't have to support their passwords" was the conclusion I came to.

The passwords never worked so I decided it was better to not confuse the issue by trying to support them.

Note: See TracTickets for help on using tickets.