Does having a space at the end constitute a valid password
e.g "ABCD " or "ABCD12 "
Would it be fine, if we trim the password input (i.e "ABCD" would be the effective string after trimming) prior to authentication
+3
A:
Technically yes - a password can contain anything you want it to. However, what's actually allowed will depend on a number of factors including hashing algorithm, how the data is stored etc.
If you are going to trim the password then you need to state "no trailing spaces" when the user enters the data.
ChrisF
2010-02-16 12:26:23
+2
A:
I tend to trim "silently" almost everything the user types, as spaces are generally not shown in form elements.
But, for password fields, there is a '*' or an equivalent -- so even spaces are "visible" ; so you can't trim the input silently.
Still, I would consider a password with a space at the beginning or end is not valid, and ask the user to modify it -- but that's probably a matter of personnal taste.
(Considering a user typing a space at the beginning or end of a password field is quite a rare situation, I would not indicate anything saying this is not allowed, though -- until the user actually does that, of course : a registration form is already quite too complex for most users, so no need to say that kind of little/rare thing until it happens)
Pascal MARTIN
2010-02-16 12:26:57
-1 silent trim, wtf dude?
Rook
2010-02-16 16:35:51
A space is a totally valid ASCII character and by removing it you are decreasing the entropy available to users. Thus the ONLY effect trimming has is slightly decreasing the security of the application while getting absolutely nothing in return. That's my 2cents.
Rook
2010-02-16 17:35:27
I agree about the fact that a space is a valid character, and, as such, I, of course, allow it in a password ; but just not at the beginning or end : in my opinion, it means a too big risk of error for the users *(like if you send the password by email -- yeah, not good, but it's often done -- there is a risk that the space at the beginning or end is not seen by the user, as it's an "invisible" character)* ;;; silent trim is for fields such as "text content", "nickname", "firstname" ; not for password, of course :-)
Pascal MARTIN
2010-02-16 17:42:31
A:
I wouldn't consider a space a valid password character. It's not something that is usually done. So it would be fine to trim before authentication.
Tony
2010-02-16 12:27:07
-1 a space is a ASCII character and thus is completely valid. A hash function will not know the difference.
Rook
2010-02-16 17:31:04
+2
A:
I'd say it's probably a bad idea to use a password like that, but it's an even worse idea to arbitarily change what they entered for a password.
If you're password creation procedure disallowed password which end in a space, than it should be OK.
James Curran
2010-02-16 12:28:09
+1
A:
A space at the end of a password is perfectly valid, and indeed would help protect it if printed. Why restrict users from what password they choose, it can't add value.
Luke Harris
2010-02-16 12:28:47
I would probably trim the input to avoid confusion and will give them a warning.
Joshua
2010-02-16 12:45:41
+1
A:
I agree with those who say that while it could be regarded as a valid character, I wouldn't recommend it, since it will add to possible confusion and not really add any value.
Using a space in a password is something that I can only guess is rarely done and uncommon to standard user behaviour. Therefore I think it would be fine if you explicitly exclude spaces from passwords and alerting the user when he chooses a password which holds a space. I wouldn't trim the password without giving the user feedback in case that they chose a space on purpose and are confused when they can't log in afterwards.
To be fair, this is just gut feeling about how passwords should work. I can't think of a reason why it should absolutely be forbidden to use spaces in a password.
Anne Schuessler
2010-02-16 12:42:45