Make WordPress Core

Opened 2 years ago

Last modified 2 years ago

#35500 new defect (bug)

Login page: user can change password on " " but can't log in with new password.

Reported by: antonrinas Owned by:
Milestone: Awaiting Review Priority: lowest
Severity: normal Version:
Component: Login and Registration Keywords: needs-patch close
Focuses: Cc:


There is a user: login: admin password: admin role: administrator STEPS TO REPRODUCE Click "Lost your password?" on Login page and change it on " " (space character). Try to login with new password. EXPECTED RESULT: logging in. ACTUAL RESULT: "ERROR: The password field is empty."

Change History (3)

#1 @johnbillion
2 years ago

  • Keywords needs-patch added
  • Priority changed from normal to lowest
  • Version 4.4.1 deleted

#2 @swissspidy
2 years ago

Simply not using trim() on the password in wp_authenticate() results in a incorrect_password error instead of empty_password. So that's only half of the deal.

I consider using trim() very helpful, e.g. when users accidentally hit space when typing in their password. Since someone rarely if ever changes their password to , I think the downsides outweigh the benefits.

#3 @voldemortensen
2 years ago

  • Keywords close added

I agree with @swissspidy here. I don't think its a common use case to set a password as a space (or even multiples spaces). And I don't think its a use case that should be supported. I don't think we should go out of our way to support passwords that are that insecure.

Note: See TracTickets for help on using tickets.