31

Just wondering.

We usually trim a user name in various forms in our ASP.Net application, whats the best practices for password fields.

i.e. should we remove a trailing space in a password field before being saved/encrypted?

abatishchev
  • 98,240
  • 88
  • 296
  • 433
Liam
  • 1,267
  • 2
  • 17
  • 30
  • Should white space characters be allowed in a password? http://stackoverflow.com/questions/5475071/should-whitespace-characters-be-allowed-in-a-password – Christophe Geers Aug 30 '11 at 09:07
  • 1
    @ChristopheGeers - There is actually a slight difference in the questions. While the other questions asks if spaces should be allowed _inside_ a password, this question is only adresses spaces _outside_ the password (`trim()`). – martinstoeckli Nov 01 '12 at 09:04
  • 1
    possible duplicate of [Should users be allowed to entered a password with a space at the beginning or end?](http://stackoverflow.com/questions/632167/should-users-be-allowed-to-entered-a-password-with-a-space-at-the-beginning-or-e) – Kevin Kibler Jun 05 '13 at 19:42
  • I read this: http://www.engadget.com/2014/04/04/xbox-live-five-year-old-hacker/ about a kid who enters some spaces and bypasses xbox security... so as long as empty strings do not mean "user has no password and that is also ok" ..... – edelwater Apr 05 '14 at 14:13
  • 2
    https://tonyshowoff.com/articles/should-you-trim-passwords/ So it's simple: users should be able to use any characters they want in a password, but the password should be trimmed at both create and login. – Yves M. Jan 18 '22 at 12:10

8 Answers8

46

Leave the password as the user entered it.

You should never change silently a field put by a user, overall a password.

onof
  • 17,167
  • 7
  • 49
  • 85
  • 4
    +1. You should not trim the password. If you do not want to accept passwords with spaces then a password containing spaces should not be accepted. – Nippysaurus Apr 02 '13 at 11:48
  • So, presumably, you should either reject the password in the first place or, when someone tries to login, try appending and/or preprending various whitespace characters to whatever they enter, as respective attempts to log them in. I don't feel great about the latter option, so I think the only sensible thing in this case is to reject passwords with whitespace at the beginning/end – Bobby Jack Nov 26 '14 at 10:55
  • 3
    https://tonyshowoff.com/articles/should-you-trim-passwords/ – Yves M. Jan 18 '22 at 12:09
  • 1
    This answer doesn't appear to make a difference between *trimming* a password (removing whitespace at the start and end of the password), and overall removing of whitespace *inside* the password itself. – 9769953 Jan 25 '22 at 10:08
20

If you use the same trimming method when inputting in the db as you use when you select to test the password, the user's password will still work just fine.

There is of course a slight reduction of quality for that (very rare) user who choose to use white space in the beginning or end of her password.

Spaces inside passwords should never be a problem, tho.

In summary: I have not come across any good reason not to do a simple trim() for any input from web forms and the alike, passwords or not. The benefits, however, far outweighs the slight cost mentioned above.

Gorm
  • 201
  • 2
  • 2
  • 8
    Agreed, spaces _inside_ a password should be left alone, spaces _outside_ a password are only asking for trouble, the security should not depend on such whitespaces. – martinstoeckli Nov 01 '12 at 09:10
10

It depends,

Some users copy their password from somewhere or fill in their password and copy paste it in the Confirm Password field. This sometimes gives a extra space before and after the password. A space will be encrypted as well while they didn't even realize a space was there.

While other users actually create passwords with spaces in.

It's totally up to you to decide your password policy. Just make sure it is very clear for the user what your password policy is. Either by alerting them if they used a space or alerting them using a space isn't allowed.

Kevin Cloet
  • 2,956
  • 1
  • 19
  • 36
  • 2
    Not being able to log in simply because you left a space at the end when you entered it in is *not* ok. If you have to put a warning down for the user to see in order to be clear, you can be sure that it is not a good idea. – Neil Sep 26 '14 at 12:35
7

You can use this to alert user that password include spaces or something like that.

if (/^\s|\s$/.test(password)) {
    //alert('Hey Watchout');
}

Triming password is not a good practice.

Hope this helps.

talha2k
  • 24,937
  • 4
  • 62
  • 81
  • Using spaces or other non-printable characters at the beginning or at the end of your password is not a good practice. I think they shouldn't be used in the middle as well but I'd support it. – Josef Sábl Mar 19 '13 at 12:42
1

Trim leading and trailing spaces and all other whitespace. It is actually a good practice for all common fields. Do not count these trailing and leading spaces towards minimum password length. Spaces in the middle of password are just fine. Please, never restrict what password can contain.

Josef Sábl
  • 7,538
  • 9
  • 54
  • 66
1

it depends by your business: if you want allow the users to create passwords with spaces at the end you should not do that. anyway instead of trim it it would be better to validate it and notify the user about an invalid password showing the reason in this case the white spaces

Massimiliano Peluso
  • 26,379
  • 6
  • 61
  • 70
1

Do not trim the spaces, some may be use whitespaces in their password, application should be user-friendly as well as should be provide security, so dont trim the spaces.

Abdul Rahman
  • 682
  • 2
  • 6
  • 20
  • 1
    Not trimming spaces is about being non-user friendly. We had many user requests about non-functioning passwords. They copied it from some outlook or similar stuff which copied also a whitespace. – Josef Sábl Mar 19 '13 at 12:39
  • This answer doesn't appear to make a difference between *trimming* a password (removing whitespace at the start and end of the password), and overall removing of whitespace *inside* the password itself. – 9769953 Jan 25 '22 at 10:07
-1

Don't trim spaces, since some users do include spaces in their passwords. If you don't want a space then just make it invalid to put spaces in a password.

KingofBliss
  • 15,055
  • 6
  • 50
  • 72
  • This answer doesn't appear to make a difference between *trimming* a password (removing whitespace at the start and end of the password), and overall removing of whitespace *inside* the password itself. – 9769953 Jan 25 '22 at 10:07