When resetting the password, inputting spaces on the left or right accepts and shows a successful reset password message. But when trying to login into the account without those spaces, it successfully logged me in.

[islammdshariful]

Suppose a user trying to reset his/her password. He/She ends the password with a blank spaces (which is still a character & ASCII code: 32).
Now when resetting the password it shows successful reset password message.

When trying to login into the account without that end space, it successfully logged in. Which seems like a bug where blank spaces are not taking into account.

[jakariaistauk]

Good Catch @islammdshariful. I also got the issue on creating new user. I create user with password which contains spaces like ' 1234 ' but at login time it works without space means '1234'.

[robinwpdeveloper]

@costdev can you please verify this bug?

[costdev]

Thanks for the ping @robinwpdeveloper 🙂

I'm not at a PC at the moment, but my initial thinking is:

• On creation,the password is trimmed:
  • " surrounded_with_spaces " becomes "surrounded_with_spaces" and is then processed and saved to the database.
• On login, the password is trimmed:
  • " surrounded_with_spaces " becomes "surrounded_with_spaces" and is compared to the value in the database, which matches, and the user is logged in.

Trimming passwords of surrounding space is common in case a password was copied and pasted from elsewhere and includes extra space around it.

If this is the case, then I'd say it's a feature, not a bug.

Needs investigation/confirmation before this ticket can be moved forward (either towards close or towards a patch).

---

• Removing needs-patch as this isn't (yet) confirmed as a bug.
• Setting Severity to normal until we know more.
• Removing coding-standards as this doesn't pertain to WPCS.
• @robinwpdeveloper To verify the Version property, can you confirm whether this only started happening in WordPress 6.0.2, or if it happens in earlier versions of WordPress? Otherwise, please set the Version property to empty until this has been investigated. (Version is for noting when a bug was introduced, not the version being used when it occurred).
• Adding dev-feedback so that contributors know to investigate and give feedback on this behaviour.

[rajinsharwar]

Just checked on this old issue. I think @costdev is right, if there are any spaces before, or at the last, it isn't taken into account. Neither those spaces at the first or last get saved in the DB, nor aren't those compared while logging in. Yes, only when there are spaces between the password strings, that is when it's saved in the Db, and compared while logging in.

This is more like a feature, rather than a bug. So, let me set the resolution to "wontfix". Thanks to all who spent their valuable time on this ticket.