[drupal-devel] [feature] Trim username at login
Bèr Kessels
drupal-devel at drupal.org
Mon May 16 09:51:49 UTC 2005
Issue status update for http://drupal.org/node/11791
Project: Drupal
Version: 4.6.0
Component: user.module
Category: feature requests
Priority: normal
Assigned to: Anonymous
Reported by: kps
Updated by: Bèr Kessels
Status: patch
Please note that chaging the title, affects the whole issue.
Bèr Kessels
Previous comments:
------------------------------------------------------------------------
October 20, 2004 - 18:29 : kps
They create an account. They get a password by email. They select the
password plus the preceding blank or following newline. They paste it
into the 'Password' box. They can't log in. They write to me
complaining. I get tired of complaints and patch user.module to strip
leading and trailing blanks.
------------------------------------------------------------------------
October 20, 2004 - 18:39 : kps
Attachment: http://drupal.org/files/issues/user.module_0.patch (766 bytes)
I claim I'm not *really* dumber myself. Drupal timed out on me....
------------------------------------------------------------------------
October 20, 2004 - 19:02 : moshe weitzman
makes sense to me
------------------------------------------------------------------------
October 20, 2004 - 22:54 : rkendall
+1
FWIW - I could see this being useful, and don't really see any
practical drawbacks.
I does smell of hack, but is that really an issue? I mean, it might
not be the 'done' thing to mess with passwords, however, I can't
imagine any regular user intentionally putting leading or trailing
whitespace on a password, but I can imagine it being done accidentally
fairly often (either when setting a password, or when logging in).
To be consistent, it would make sense to trim passwords when setting
them as well.
------------------------------------------------------------------------
October 21, 2004 - 00:09 : Bèr Kessels
-1 from me.
I think we should nstart meddling with passwords by trim()ing them.
If you have dumb users, you should fix it in the mail that is send to
them. That is really easy. For example: add a word after the passwords:
your password is WKDKAFAJ34 please mind capital letters.
or so.
Bèr
------------------------------------------------------------------------
October 21, 2004 - 00:36 : Steven
I don't agree with Bèr... copy/pasting is a fiddly business, especially
because when pasting a password all you see is asterisks and you don't
notice if there is an extra character. Trimming the password won't
hurt, I very much doubt that there are people who consciously use a
space at the beginning or end of their password.
+1 on trimming, it is a usability improvement.
------------------------------------------------------------------------
October 21, 2004 - 00:51 : chx
+1 here. Bèr, if you write a sentence around it, you can still
copy-paste the whitespace before and after it.
------------------------------------------------------------------------
October 21, 2004 - 02:18 : Uwe Hermann
I'm unsure if I really like this, but if this really gets applied,
please make it a configuration option. Do not hardcode it for all
Drupal installations. Thanks, Uwe.
------------------------------------------------------------------------
October 21, 2004 - 06:06 : robertDouglass
+1
I can confirm from my logs that the typical user bungles initial login
1-4 times, with each bungled attempt making an all-out failure more
likely. Not only am I in favor of trimming, I am much in favor of
investigating other means of initial password assignment like on the
initial register form or by generating a unique URL that gets mailed
and only has to be clicked or pasted into the browser address bar.
Sorry if those alternatives have already been widely discussed here.
------------------------------------------------------------------------
October 21, 2004 - 07:21 : stefan nagtegaal
I am all for trimming the spaces in front of the username and after it,
but I am absoklutely against another option for such thing. IMO this is
only a usability improvement and it is not needed to make it a
configurable behaviour..
We have enough options already, and if you'll ask me I'll tell you that
we need less options instead of more..
------------------------------------------------------------------------
October 21, 2004 - 10:58 : Bèr Kessels
Admitted: no one will conciously add spaces to his or her passwords. So
i will pull out my -1 hereby.
but -1 for making ot an option. As steef syis: its useability.
I still stick to the -1 for applying this specific patch. I beleive
that we should be
1) consitant, and strip /all/ password whitespace.
2) use drupal_set_message() to warn people when whitespace was
stripped. And so to educate users to be aware of whitespace when
copying passwords.
------------------------------------------------------------------------
October 21, 2004 - 12:39 : kps
My proposed patch also strips white space when the user changes the
password, so it's not possible to create an unusable password.
I agree that a warning message would be a good idea.
------------------------------------------------------------------------
October 21, 2004 - 17:10 : Chris Johnson
Part of the problem with users copying and pasting extraneous whitespace
around passwords (or userrnames) is the inconsistent behavior in GUI
windowing environments. That is to say, in some applications in some
GUIs, double-clicking on a word will copy the word and its surrounding
white space, for example. In others, it will not.
One might think it would be visibly obvious that the surrounding white
space was included in the copy operation, but that's not so. The words
might be displayed in a very small, proportional font (and further might
be justified or kerned in unpredictable fashion) which make it hard to
see just where the highlighted copied text begins and ends. This is
under the control of the application and the user. Or, the user might
think logically that since all he or she wanted was the word, and
likewise that "whitespace" is irrelevant, the user may assume that what
was copied was only the desired word even if they can visibly see that
the adjacent spaces are highlighted.
I'm well aware of this behavior myself and even I sometimes get tripped
up when copying and pasting bits of data here and there by the
occasional undesired white space.
My vote would be to always trim leading and trailing white space, and
to document in the help that such white space is not valid in
passwords.
------------------------------------------------------------------------
March 13, 2005 - 19:25 : killes at www.drop.org
The patch still applies. Apart from Ber everybody liked it. I also like
it.
------------------------------------------------------------------------
March 14, 2005 - 14:42 : Bèr Kessels
"apart from Ber everyone liked it", so here a short comment:
I still beleive modifying what a user inserts should never be modified.
But the current situation is far worse, so I guess it *gets a +1* from
me now too :).
------------------------------------------------------------------------
March 15, 2005 - 19:03 : tangent
RE #11, if whitespace is not checked for in the password validation it
should be. Preventing whitespace from being used is preferable to
simply stripping it.
------------------------------------------------------------------------
April 29, 2005 - 20:18 : kps
Attachment: http://drupal.org/files/issues/password-trim.patch (951 bytes)
Patch against 4.6 attached.
------------------------------------------------------------------------
May 15, 2005 - 22:06 : jakeg
I am +10 for this... but so far have leading/trailing spaces been
allowed in passwords? If they have, then this causes an obvious problem
- users with existing leading/trailing spaces in their passwords will no
longer be able to login. You can't pull the password hash out of the
database and trim that... that's not how hashes work.
If leading/trailing spaces *have* been allowed in the past, then the
obvious work around would be: if someone tries to login and enters a
leading/trailing space and the login fails, ask them whether their
password has one. If it does, get them to reset their password then
choose a new one.
Of course you also have to ensure that when users setup new
passwords/edit their passwords the password hash is made from a trimmed
version of their password. You don't have to inform them that its been
trimmed. Its irrelevant to them. You just do it.
More information about the drupal-devel
mailing list