[drupal-devel] [feature] Trim username at login

kps drupal-devel at drupal.org
Fri Apr 29 19:18:44 UTC 2005

Issue status update for http://drupal.org/node/11791

 Project:      Drupal
-Version:      cvs
+Version:      4.6.0
 Component:    user.module
 Category:     feature requests
 Priority:     normal
 Assigned to:  Anonymous
 Reported by:  kps
 Updated by:   kps
 Status:       patch
 Attachment:   http://drupal.org/files/issues/password-trim.patch (951 bytes)

Patch against 4.6 attached.


Previous comments:

October 20, 2004 - 17:29 : kps

They create an account. They get a password by email. They select the
password plus the preceding blank or following newline. They paste it
into the 'Password' box. They can't log in. They write to me
complaining. I get tired of complaints and patch user.module to strip
leading and trailing blanks.


October 20, 2004 - 17:39 : kps

Attachment: http://drupal.org/files/issues/user.module_0.patch (766 bytes)

I claim I'm not *really* dumber myself. Drupal timed out on me....


October 20, 2004 - 18:02 : moshe weitzman

makes sense to me


October 20, 2004 - 21:54 : rkendall

FWIW -  I could see this being useful, and don't really see any
practical drawbacks.

I does smell of hack, but is that really an issue?  I mean, it might
not be the 'done' thing to mess with passwords, however, I can't
imagine any regular user intentionally putting leading or trailing
whitespace on  a password, but I can imagine it being done accidentally
fairly often (either when setting a password, or when logging in).

To be consistent, it would make sense to trim passwords when setting
them as well.


October 20, 2004 - 23:09 : Bèr Kessels

-1 from me.
I think we should nstart meddling with passwords by trim()ing them.

If you have dumb users, you should fix it in the mail that is send to
them. That is really easy. For example: add a word after the passwords:

your password is WKDKAFAJ34 please mind capital letters.

or so.



October 20, 2004 - 23:36 : Steven

I don't agree with Bèr... copy/pasting is a fiddly business, especially
because when pasting a password all you see is asterisks and you don't
notice if there is an extra character. Trimming the password won't
hurt, I very much doubt that there are people who consciously use a
space at the beginning or end of their password.

+1 on trimming, it is a usability improvement.


October 20, 2004 - 23:51 : chx

+1 here. Bèr, if you write a sentence around it, you can still
copy-paste the whitespace before and after it.


October 21, 2004 - 01:18 : Uwe Hermann

I'm unsure if I really like this, but if this really gets applied,
please make it a configuration option. Do not hardcode it for all
Drupal installations. Thanks, Uwe.


October 21, 2004 - 05:06 : robertDouglass

I can confirm from my logs that the typical user bungles initial login
1-4 times, with each bungled attempt making an all-out failure more
likely. Not only am I in favor of trimming, I am much in favor of
investigating other means of initial password assignment like on the
initial register form or by generating a unique URL that gets mailed
and only has to be clicked or pasted into the browser address bar.
Sorry if those alternatives have already been widely discussed here.


October 21, 2004 - 06:21 : stefan nagtegaal

I am all for trimming the spaces in front of the username and after it,
but I am absoklutely against another option for such thing. IMO this is
only a usability improvement and it is not needed to make it a
configurable behaviour..
We have enough options already, and if you'll ask me I'll tell you that
we need less options instead of more..


October 21, 2004 - 09:58 : Bèr Kessels

Admitted: no one will conciously add spaces to his or her passwords. So
i will pull out my -1 hereby.

but -1 for making ot an option. As steef syis: its useability.
I still stick to the -1 for applying this specific patch. I beleive
that we should be
1) consitant, and strip /all/ password whitespace.
2) use drupal_set_message() to warn people when whitespace was
stripped. And so to educate users to be aware of whitespace when
copying passwords.


October 21, 2004 - 11:39 : kps

My proposed patch also strips white space when the user changes the
password, so it's not possible to create an unusable password.

I agree that a warning message would be a good idea.


October 21, 2004 - 16:10 : Chris Johnson

Part of the problem with users copying and pasting extraneous whitespace
around passwords (or userrnames) is the inconsistent behavior in GUI
windowing environments.  That is to say, in some applications in some
GUIs, double-clicking on a word will copy the word and its surrounding
white space, for example.  In others, it will not.

One might think it would be visibly obvious that the surrounding white
space was included in the copy operation, but that's not so.  The words
might be displayed in a very small, proportional font (and further might
be justified or kerned in unpredictable fashion) which make it hard to
see just where the highlighted copied text begins and ends.  This is
under the control of the application and the user.  Or, the user might
think logically that since all he or she wanted was the word, and
likewise that "whitespace" is irrelevant, the user may assume that what
was copied was only the desired word even if they can visibly see that
the adjacent spaces are highlighted.

I'm well aware of this behavior myself and even I sometimes get tripped
up when copying and pasting bits of data here and there by the
occasional undesired white space.

My vote would be to always trim leading and trailing white space, and
to document in the help that such white space is not valid in


March 13, 2005 - 18:25 : killes at www.drop.org

The patch still applies. Apart from Ber everybody liked it. I also like


March 14, 2005 - 13:42 : Bèr Kessels

"apart from Ber everyone liked it", so here a short comment:
I still beleive modifying what a user inserts should never be modified.
But the current situation is far worse, so I guess it *gets a +1* from
me now too :).


March 15, 2005 - 18:03 : tangent

RE #11, if whitespace is not checked for in the password validation it
should be. Preventing whitespace from being used is preferable to
simply stripping it.

More information about the drupal-devel mailing list