Login page: user can change password on " " but can't log in with new password.

[antonrinas]

There is a user:
login: admin
password: admin
role: administrator
STEPS TO REPRODUCE
Click "Lost your password?" on Login page and change it on " " (space character).
Try to login with new password.
EXPECTED RESULT: logging in.
ACTUAL RESULT: "ERROR: The password field is empty."

[swissspidy]

Simply not using trim() on the password in wp_authenticate() results in a incorrect_password error instead of empty_password. So that's only half of the deal.

I consider using trim() very helpful, e.g. when users accidentally hit space when typing in their password. Since someone rarely if ever changes their password to , I think the downsides outweigh the benefits.

[voldemortensen]

I agree with @swissspidy here. I don't think its a common use case to set a password as a space (or even multiples spaces). And I don't think its a use case that should be supported. I don't think we should go out of our way to support passwords that are that insecure.

[hellofromTonya]

Hello @antonrinas,

Welcome to WordPress Trac! Thank you for reporting this issue.

For JavaScript enabled browsers, this issue was fixed in ticket #42766 with changeset [49118]. This change did the following:

• the password field is trimmed first
• if empty, an empty class is added to the field and the Save Password button is not displayed
• requires JavaScript

What if the browser has JavaScript disabled? The problem still exists.

A possible solution:

• Trim and then check if pass1 is empty in wp-login.php
• if yes, generate an error message

This step would return the user back to the password reset page with a reason why their password was not accepted.

Testing now and will submit a patch for consideration.

[hellofromTonya]

Trims and checks for empty pass1. If present, sets error to alert user and allows user to try again.

[hellofromTonya]

Checks for a password of one space or all empty spaces. Does not check on first load.

[hellofromTonya]

Testing of 35500.1.diff patch. Works as expected.

[hellofromTonya]

Testing info

Dependencies

Need a way to capture the password reset email when testing locally. One way is to install and activate the Email Log plugin. This plugin captures email notifications, including the password reset email.

How to get a password reset link and display the Password Reset screen:

1. Request to reset your password by (a) going to the login page, (b) clicking on "Lost your password?" link, and then adding your username or email.
2. Get the password reset link from the email by:
   • Open the database. If using Local, click on the Database tab and then click on Open Adminer. It should then open in your browser.
   • Open the wp_email_log database table.
   • Click on Select data.
   • Edit the last record in the table, which opens it up.
   • Copy the link in the message field (likely will need to scroll down to view and then copy it).
3. Open a different browser and turn off/disable JavaScript.
4. Copy the reset password link into that browser.

How to reproduce the problem locally

1. Go to the Password Reset screen (see above).
2. Type one or more spaces into both password fields.
3. Click Save Password button. => Notice it let you.
4. Try to log in with that "space-only" password. => Notice it fails.

How to test the patch

1. Request another password reset and go to the Password Reset screen (see above).
2. Type one or more spaces into both password fields.
3. Click Save Password button.

This time notice an error message is displayed and the Password Reset screen reloads.

[henry.wright]

Related is #53339. trim() is used inconsistently when setting a password.