Login page: user can change password on " " but can't log in with new password.

[antonrinas]

There is a user:
login: admin
password: admin
role: administrator
STEPS TO REPRODUCE
Click "Lost your password?" on Login page and change it on " " (space character).
Try to login with new password.
EXPECTED RESULT: logging in.
ACTUAL RESULT: "ERROR: The password field is empty."

[swissspidy]

Simply not using trim() on the password in wp_authenticate() results in a incorrect_password error instead of empty_password. So that's only half of the deal.

I consider using trim() very helpful, e.g. when users accidentally hit space when typing in their password. Since someone rarely if ever changes their password to , I think the downsides outweigh the benefits.

[voldemortensen]

I agree with @swissspidy here. I don't think its a common use case to set a password as a space (or even multiples spaces). And I don't think its a use case that should be supported. I don't think we should go out of our way to support passwords that are that insecure.

[hellofromTonya]

Hello @antonrinas,

Welcome to WordPress Trac! Thank you for reporting this issue.

For JavaScript enabled browsers, this issue was fixed in ticket #42766 with changeset [49118]. This change did the following:

• the password field is trimmed first
• if empty, an empty class is added to the field and the Save Password button is not displayed
• requires JavaScript

What if the browser has JavaScript disabled? The problem still exists.

A possible solution:

• Trim and then check if pass1 is empty in wp-login.php
• if yes, generate an error message

This step would return the user back to the password reset page with a reason why their password was not accepted.

Testing now and will submit a patch for consideration.

[hellofromTonya]

Trims and checks for empty pass1. If present, sets error to alert user and allows user to try again.

[hellofromTonya]

Checks for a password of one space or all empty spaces. Does not check on first load.

[hellofromTonya]

Testing of 35500.1.diff patch. Works as expected.

[hellofromTonya]

Testing info

Dependencies

Need a way to capture the password reset email when testing locally. One way is to install and activate the Email Log plugin. This plugin captures email notifications, including the password reset email.

How to get a password reset link and display the Password Reset screen:

1. Request to reset your password by (a) going to the login page, (b) clicking on "Lost your password?" link, and then adding your username or email.
2. Get the password reset link from the email by:
   • Open the database. If using Local, click on the Database tab and then click on Open Adminer. It should then open in your browser.
   • Open the wp_email_log database table.
   • Click on Select data.
   • Edit the last record in the table, which opens it up.
   • Copy the link in the message field (likely will need to scroll down to view and then copy it).
3. Open a different browser and turn off/disable JavaScript.
4. Copy the reset password link into that browser.

How to reproduce the problem locally

1. Go to the Password Reset screen (see above).
2. Type one or more spaces into both password fields.
3. Click Save Password button. => Notice it let you.
4. Try to log in with that "space-only" password. => Notice it fails.

How to test the patch

1. Request another password reset and go to the Password Reset screen (see above).
2. Type one or more spaces into both password fields.
3. Click Save Password button.

This time notice an error message is displayed and the Password Reset screen reloads.

[henry.wright]

Related is #53339. trim() is used inconsistently when setting a password.

[hellofromTonya]

No activity for 5 months. Punting to 6.0.

[costdev]

Test Report

Environment

• Server: nginx - Local by Flywheel
• WordPress: 5.9.2
• Browser: Chrome 99.0.4844.84
• OS: Windows 10
• Theme: Twenty Twenty-Two
• Plugins:
  • Email Log 2.4.8

Steps

1. Go to the Password Reset screen.
2. Type one or more spaces into both password fields.
3. Click Save Password button. => Notice it let you. ✅
4. Try to log in with that "space-only" password. => Notice it fails. ✅
5. Apply patch 35500.1.diff.
6. Request another password reset and go to the Password Reset screen.
7. Type one or more spaces into both password fields.
8. Click Save Password button.
9. This time notice an error message is displayed and the Password Reset screen reloads. ✅

Results

1. Issue reproduced.
2. Patch 35500.1.diff resolves the issue.

---

• Removing needs-testing.
• Adding commit for consideration.

[peterwilsoncc]

Doing some branch testing with JavaScript disabled.

Entering space (please note the leading space) in both the password and confirmation fields results in the error message "Error: The passwords do not match."

This is because the password field, pass1, is trimmed but the confirmation field, pass2, is not. If WordPress must preprocess password fields, then the confirmation field will need to be preprocessed too.

[costdev]

Patch refreshed after testing by @peterwilsoncc. Compares $_POST['pass1'] to trim( $_POST['pass2'] ).

[costdev]

Just added patch 35500.2.diff, which tests well for me using " space" (note the leading space) in both the password and confirmation field.

[peterwilsoncc]

In 53067:

Login, Registration: Prevent password reset to whitespace alone.

Prevent users from using the password reset form to set their password to whitespace alone (tabs, spaces). This matches the processing used during the authentication flow, ensuring users do not inadvertently get locked out of their account.

Props antonrinas, swissspidy, voldemortensen, hellofromTonya, henry.wright, costdev.
Fixes #35500.

[peterwilsoncc]

In 53068:

Login, Registration: Fix coding standards errors in [53067].

See #35500.

[azouamauriac]

Replying to peterwilsoncc:

In 53067:

I wonder to know if we can just put ​this both "if" statement together... Any objection?

[peterwilsoncc]

Replying to azouamauriac:

I wonder to know if we can just put ​this both "if" statement together... Any objection?

The first if statement makes changes to the password variable that are used in the second statement. I considered asking for them to be combined but decided the code would be clearer keeping them separate.

[azouamauriac]

Replying to peterwilsoncc:

Replying to azouamauriac:

I wonder to know if we can just put ​this both "if" statement together... Any objection?

The first if statement makes changes to the password variable that are used in the second statement. I considered asking for them to be combined but decided the code would be clearer keeping them separate.

I'm still thinking these statements can be merged without make the code unreadable. Anyway let's move up.

thank you.