WordPress.org

Make WordPress Core

#45100 closed enhancement (duplicate)

Allow white space in password

Reported by: 3Lancer Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords: 2nd-opinion
Focuses: Cc:

Description

Wordpress file: wp-includes/user.php > function wp_signon()

Allows white space characters in the password upon account creations, yet trims them on logging in. This causes an issue if only using white spaces as the entirely password or using them as a buffer to shorten password lengths below the set allowed minimum length.

<?php
$creds = array();
$creds['user_login'] = 'example';
$creds['user_password'] = '        ';
$creds['remember'] = true;
$user = wp_signon( $creds, false );
if ( is_wp_error($user) ) {
   $this->errors[] = $user->get_error_message();
}

Password: " " (8 white space characters or more)

  • Fails to allow any logging into that account and instead returns “ERROR: The password field is empty.”

Password: " 1" (7 white space characters and a single letter or number)

  • Lets users bypass the minimum password length and just login with '1'

Change History (3)

#1 @mukesh27
21 months ago

  • Keywords 2nd-opinion added
  • Summary changed from White space passwords to Allow white space in password
  • Type changed from defect (bug) to enhancement

Hi @3Lancer, Welcome to WordPress Trac! Thank you for your ticket.

The simple answer is that it is a bad password policy. Leading and trailing spaces could be trouble for people who are loose with copy and paste.

#2 @apmarshall
21 months ago

Just to clarify, because the language of the original post and of @mukesh27 's reply were ambiguous to me:

I am understanding this to be a report that WordPress currently (1) allows a user to have whitespaces in their password, (2) trims those whitespaces out, and (3) that this means that leading white spaces can be used to bypass password length requirements. In other words that this is reporting current behavior (a bug), not proposing a new behavior. Is that correct?

Follow-up questions, to clarify the impact of this bug:

What happens if the white-space is in the middle of the password. For example "123 abc"? Does the trimming of the white space truncate the password at "123" or does it compress it to "123abc" without the space in the middle?

Similarly, do trailing white spaces (for example, a "1" followed by seven spaces) have the same effect as the leading white space example in terms of bypassing length requirements or does that only work if the white space is the initial portion of the password?

#3 @SergeyBiryukov
21 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hi @3Lancer, welcome to WordPress Trac!

Thanks for the report, we're already tracking this issue in #27740.

Note: See TracTickets for help on using tickets.