Opened 5 years ago
Last modified 21 months ago
#35500 new defect (bug)
Login page: user can change password on " " but can't log in with new password.
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | lowest | |
Severity: | normal | Version: | |
Component: | Login and Registration | Keywords: | needs-patch close |
Focuses: | Cc: |
Description
There is a user:
login: admin
password: admin
role: administrator
STEPS TO REPRODUCE
Click "Lost your password?" on Login page and change it on " " (space character).
Try to login with new password.
EXPECTED RESULT: logging in.
ACTUAL RESULT: "ERROR: The password field is empty."
Change History (3)
#1
@
5 years ago
- Keywords needs-patch added
- Priority changed from normal to lowest
- Version 4.4.1 deleted
#3
@
5 years ago
- Keywords close added
I agree with @swissspidy here. I don't think its a common use case to set a password as a space (or even multiples spaces). And I don't think its a use case that should be supported. I don't think we should go out of our way to support passwords that are that insecure.
Note: See
TracTickets for help on using
tickets.
Simply not using
trim()
on the password inwp_authenticate()
results in aincorrect_password
error instead ofempty_password
. So that's only half of the deal.I consider using
, I think the downsides outweigh the benefits.
trim()
very helpful, e.g. when users accidentally hit space when typing in their password. Since someone rarely if ever changes their password to