Support » Requests and Feedback » To whitespace or not to whitespace, that is the password

  • 3Lancer

    (@3lancer)



    For security best practices, should white spaces be allowed in passwords? And if so, should they be trimmed from the start and/or end?

    Lets just say someone created an account with the password:

    (that’s 16 whitespaces)

    Is this acceptable for WordPress Accounts or should it be?

Viewing 5 replies - 1 through 5 (of 5 total)
  • catacaustic

    (@catacaustic)

    Yes, they should be allowed (they are valid characters after all), and no, they should not be trimmed out.

    But… 16 space characters would never be a “secure” password as it’s all the same character. It’s the same as if someone used ‘aaaaaa’. You could filter on that sort of condition.

    3Lancer

    (@3lancer)

    Unless I’m doing something wrong, I believe this is a glitch in the WordPress login:
    wp-includes/user.php > function wp_signon( $credentials = array(), $secure_cookie = '' )

    Basic example of this:

    $creds = array();
    $creds['user_login'] = 'example';
    $creds['user_password'] = '        ';
    $creds['remember'] = true;
    $user = wp_signon( $creds, false );
    if ( is_wp_error($user) ) {
       $this->errors[] = $user->get_error_message();
    }

    Returns: “ERROR: The password field is empty.”

    Yet the WordPress signup allows the whitespace password? Therefore you can create locked out accounts upon signup.

    catacaustic

    (@catacaustic)

    Looking at the code, there are checks done using the empty() PHP function, and that will show a string of only spaces as “empty”, so yes, it does look like that’s true.

    You are talking about a really big edge case. While yes, it is possible, there shouldn’t be (I hope…) too many people that would use just spaces as their password. They’d also see the big red messages saying how insecure the password is, so that should disuade the majority of people. If they did decide to do it anyway, they can always reset the password to something more “acceptable”.

    If you think that this warrants a change, you can submit a ticket for it in the core trac system.

    3Lancer

    (@3lancer)

    Cheers catacaustic for your feedback.

    Dion Designs

    (@diondesigns)

    Here is the second line of the wp_authenticate() function:

    	$password = trim($password);
    

    This means that passwords cannot have leading or trailing whitespace. So your “all whitespace” password will be considered an empty string.

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.