[wp-trac] [WordPress Trac] #24973: Impossible to login with passwords that contain trailing or leading spaces
WordPress Trac
noreply at wordpress.org
Fri Nov 8 12:02:18 UTC 2013
#24973: Impossible to login with passwords that contain trailing or leading spaces
--------------------------+---------------------
Reporter: rpattillo | Owner: nacin
Type: defect (bug) | Status: closed
Priority: normal | Milestone: 3.7
Component: Users | Version: 3.6
Severity: normal | Resolution: fixed
Keywords: has-patch |
--------------------------+---------------------
Comment (by dave1010):
WordPress is `trim()`ing passwords to make a better UX. Going down the
same route, should WordPress also `strtolower()` passwords all the time,
in case users accidentally have caps lock on? Should WordPress remove
duplicate consecutive characters, in case the user held a key down too
long?
Both `trim()` and `strtolower()` sacrifice password entropy for UX. You
could easily argue that the UX gains from this ticket are worth the
reduction in security, but the scary thing is that the security
implications don't seem to have been considered! (At least in this ticket
and from a quick Google, apologies if this was discussed elsewhere).
Is WordPress' modification of users' passwords documented anywhere?
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24973#comment:8>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list