Trim username at login

I claim I'm not *really* dumber myself. Drupal timed out on me....

makes sense to me

+1
FWIW - I could see this being useful, and don't really see any practical drawbacks.

I does smell of hack, but is that really an issue? I mean, it might not be the 'done' thing to mess with passwords, however, I can't imagine any regular user intentionally putting leading or trailing whitespace on a password, but I can imagine it being done accidentally fairly often (either when setting a password, or when logging in).

To be consistent, it would make sense to trim passwords when setting them as well.

-1 from me.
I think we should nstart meddling with passwords by trim()ing them.

If you have dumb users, you should fix it in the mail that is send to them. That is really easy. For example: add a word after the passwords:

your password is WKDKAFAJ34 please mind capital letters.

or so.

Bèr

I don't agree with Bèr... copy/pasting is a fiddly business, especially because when pasting a password all you see is asterisks and you don't notice if there is an extra character. Trimming the password won't hurt, I very much doubt that there are people who consciously use a space at the beginning or end of their password.

+1 on trimming, it is a usability improvement.

+1 here. Bèr, if you write a sentence around it, you can still copy-paste the whitespace before and after it.

I'm unsure if I really like this, but if this really gets applied, please make it a configuration option. Do not hardcode it for all Drupal installations. Thanks, Uwe.

+1
I can confirm from my logs that the typical user bungles initial login 1-4 times, with each bungled attempt making an all-out failure more likely. Not only am I in favor of trimming, I am much in favor of investigating other means of initial password assignment like on the initial register form or by generating a unique URL that gets mailed and only has to be clicked or pasted into the browser address bar. Sorry if those alternatives have already been widely discussed here.

I am all for trimming the spaces in front of the username and after it, but I am absoklutely against another option for such thing. IMO this is only a usability improvement and it is not needed to make it a configurable behaviour..
We have enough options already, and if you'll ask me I'll tell you that we need less options instead of more..

Admitted: no one will conciously add spaces to his or her passwords. So i will pull out my -1 hereby.

but -1 for making ot an option. As steef syis: its useability.
I still stick to the -1 for applying this specific patch. I beleive that we should be
1) consitant, and strip /all/ password whitespace.
2) use drupal_set_message() to warn people when whitespace was stripped. And so to educate users to be aware of whitespace when copying passwords.

My proposed patch also strips white space when the user changes the password, so it's not possible to create an unusable password.

I agree that a warning message would be a good idea.

Part of the problem with users copying and pasting extraneous whitespace around passwords (or userrnames) is the inconsistent behavior in GUI windowing environments. That is to say, in some applications in some GUIs, double-clicking on a word will copy the word and its surrounding white space, for example. In others, it will not.

One might think it would be visibly obvious that the surrounding white space was included in the copy operation, but that's not so. The words might be displayed in a very small, proportional font (and further might be justified or kerned in unpredictable fashion) which make it hard to see just where the highlighted copied text begins and ends. This is under the control of the application and the user. Or, the user might think logically that since all he or she wanted was the word, and likewise that "whitespace" is irrelevant, the user may assume that what was copied was only the desired word even if they can visibly see that the adjacent spaces are highlighted.

I'm well aware of this behavior myself and even I sometimes get tripped up when copying and pasting bits of data here and there by the occasional undesired white space.

My vote would be to always trim leading and trailing white space, and to document in the help that such white space is not valid in passwords.

The patch still applies. Apart from Ber everybody liked it. I also like it.

"apart from Ber everyone liked it", so here a short comment:
I still beleive modifying what a user inserts should never be modified. But the current situation is far worse, so I guess it gets a +1 from me now too :).

RE #11, if whitespace is not checked for in the password validation it should be. Preventing whitespace from being used is preferable to simply stripping it.

Patch against 4.6 attached.

I am +10 for this... but so far have leading/trailing spaces been allowed in passwords? If they have, then this causes an obvious problem - users with existing leading/trailing spaces in their passwords will no longer be able to login. You can't pull the password hash out of the database and trim that... that's not how hashes work.

If leading/trailing spaces *have* been allowed in the past, then the obvious work around would be: if someone tries to login and enters a leading/trailing space and the login fails, ask them whether their password has one. If it does, get them to reset their password then choose a new one.

Of course you also have to ensure that when users setup new passwords/edit their passwords the password hash is made from a trimmed version of their password. You don't have to inform them that its been trimmed. Its irrelevant to them. You just do it.

Please note that chaging the title, affects the whole issue.

-1 in the current form

I'll +1 iff:

1. this is configuration option, off by default
2. if enabled adds a warning message in appropriate places
3. if enabled checks both trimmed and not trimmed password - this way existing passwords with leading/trailing spaces will work

This should not be a configurable option. A significant portion of Drupal site administrators will not understand such an option. I am guessing the majority won't care. I think in cases like this we need to decide that one way is clearly better and stick to it. I think that trimming is the best thing to do since I've heard about this sort of problem infrequently for the past year. It looks like current passwords which begin or end with a space is a possibly statistically insignificant problem.

This should not be a configurable option. A significant portion of Drupal site administrators will not understand such an option.

Eh? How can someone not understand such simple option? Here, let me provide you with a help message: (I have tried to be nice ;))

[x] trim passwords
If enabled spaces from begining and ending of user passwords are removed. This is done because users sometime copy&paste passwords with leading or trailing white spaces and can't log in. Enable if you have many stupid users. Enabling this option is safe for you and your users.
If you don't understand what you just read then don't touch this option.

-1 for yet another configuration option.

If you feel lost among lots of options then let's make a super-hiper-advanced-don't-touch-you-have-been-warned page with many nice but scary options...
This way both parties will be happy.

Super-hiper-advanced sounds like "edit the code yerself, bub" to me [g].

> If you feel lost among lots of options then let's make a
> super-hiper-advanced-don't-touch-you-have-been-warned
> page with many nice but scary options...
> This way both parties will be happy.

+1 for the thread in general, and +1 for this. I am ALL for more and more options, but with SENSIBLE default values, and hidden away to not make the options pages cluttered.

If implementing this, maybe weighting opinions in general with this discussion, get the general feel of a new option, and if it's implemented, but not popular, move it away to the super-hyper-advanced page.

Kobus

-1 on configuration option. I agree a choice needs to be made on this issue.

I don't like the idea of changing something the user enters without telling them. Simply trimming their password at registration seems silly.

I think that if a password has spaces in it, it should be rejected with a proper error. Then, all login attempts can use a trimmed password.

ok. I revoke my -1 for trimmed passwords. Go ahead and trim them. I think there is no need to notify users about trimmed passwords or reject passwords with leading/trailing whitespaces.

But still, attached patch is lacking support for existing passwords with such whitespaces.
This can be accomplished for example by also checking not-trimmed version if trimmed version fails.

Committed the patches to HEAD and DRUPAL-4-6. Thanks guys.