Make WordPress Core

#56544 closed defect (bug) (wontfix)

When resetting the password, inputting spaces on the left or right accepts and shows a successful reset password message. But when trying to login into the account without those spaces, it successfully logged me in.

Reported by: islammdshariful's profile islammdshariful Owned by:
Milestone: Priority: normal
Severity: normal Version: 6.0.2
Component: Login and Registration Keywords: reporter-feedback dev-feedback
Focuses: privacy Cc:


Suppose a user trying to reset his/her password. He/She ends the password with a blank spaces (which is still a character & ASCII code: 32).
Now when resetting the password it shows successful reset password message.

When trying to login into the account without that end space, it successfully logged in. Which seems like a bug where blank spaces are not taking into account.

Change History (6)

#1 @robinwpdeveloper
22 months ago

  • Keywords needs-patch added

#2 @jakariaistauk
22 months ago

Good Catch @islammdshariful. I also got the issue on creating new user. I create user with password which contains spaces like ' 1234 ' but at login time it works without space means '1234'.

#3 @rudlinkon
22 months ago

  • Severity changed from normal to major

#4 @robinwpdeveloper
22 months ago

@costdev can you please verify this bug?

#5 @costdev
22 months ago

  • Focuses coding-standards removed
  • Keywords reporter-feedback dev-feedback added; needs-patch removed
  • Severity changed from major to normal

Thanks for the ping @robinwpdeveloper 🙂

I'm not at a PC at the moment, but my initial thinking is:

  • On creation,the password is trimmed:
    • " surrounded_with_spaces " becomes "surrounded_with_spaces" and is then processed and saved to the database.
  • On login, the password is trimmed:
    • " surrounded_with_spaces " becomes "surrounded_with_spaces" and is compared to the value in the database, which matches, and the user is logged in.

Trimming passwords of surrounding space is common in case a password was copied and pasted from elsewhere and includes extra space around it.

If this is the case, then I'd say it's a feature, not a bug.

Needs investigation/confirmation before this ticket can be moved forward (either towards close or towards a patch).

  • Removing needs-patch as this isn't (yet) confirmed as a bug.
  • Setting Severity to normal until we know more.
  • Removing coding-standards as this doesn't pertain to WPCS.
  • @robinwpdeveloper To verify the Version property, can you confirm whether this only started happening in WordPress 6.0.2, or if it happens in earlier versions of WordPress? Otherwise, please set the Version property to empty until this has been investigated. (Version is for noting when a bug was introduced, not the version being used when it occurred).
  • Adding dev-feedback so that contributors know to investigate and give feedback on this behaviour.

#6 @rajinsharwar
11 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Just checked on this old issue. I think @costdev is right, if there are any spaces before, or at the last, it isn't taken into account. Neither those spaces at the first or last get saved in the DB, nor aren't those compared while logging in. Yes, only when there are spaces between the password strings, that is when it's saved in the Db, and compared while logging in.

This is more like a feature, rather than a bug. So, let me set the resolution to "wontfix". Thanks to all who spent their valuable time on this ticket.

Note: See TracTickets for help on using tickets.