Make WordPress Core

Opened 5 years ago

Last modified 21 months ago

#35500 new defect (bug)

Login page: user can change password on " " but can't log in with new password.

Reported by: antonrinas Owned by:
Milestone: Priority: lowest
Severity: normal Version:
Component: Login and Registration Keywords: needs-patch close
Focuses: Cc:


There is a user:
login: admin
password: admin
role: administrator
Click "Lost your password?" on Login page and change it on " " (space character).
Try to login with new password.
EXPECTED RESULT: logging in.
ACTUAL RESULT: "ERROR: The password field is empty."

Change History (3)

#1 @johnbillion
5 years ago

  • Keywords needs-patch added
  • Priority changed from normal to lowest
  • Version 4.4.1 deleted

#2 @swissspidy
5 years ago

Simply not using trim() on the password in wp_authenticate() results in a incorrect_password error instead of empty_password. So that's only half of the deal.

I consider using trim() very helpful, e.g. when users accidentally hit space when typing in their password. Since someone rarely if ever changes their password to , I think the downsides outweigh the benefits.

#3 @voldemortensen
5 years ago

  • Keywords close added

I agree with @swissspidy here. I don't think its a common use case to set a password as a space (or even multiples spaces). And I don't think its a use case that should be supported. I don't think we should go out of our way to support passwords that are that insecure.

Note: See TracTickets for help on using tickets.