[drupal-devel] [feature] Trim username at login
Cvbge
drupal-devel at drupal.org
Mon May 16 19:44:47 UTC 2005
Issue status update for http://drupal.org/node/11791
Project: Drupal
Version: 4.6.0
Component: user.module
Category: feature requests
Priority: normal
Assigned to: Anonymous
Reported by: kps
Updated by: Cvbge
Status: patch
ok. I revoke my -1 for trimmed passwords. Go ahead and trim them. I
think there is no need to notify users about trimmed passwords or
reject passwords with leading/trailing whitespaces.
But still, attached patch is lacking support for existing passwords
with such whitespaces.
This can be accomplished for example by also checking not-trimmed
version if trimmed version fails.
Cvbge
Previous comments:
------------------------------------------------------------------------
October 20, 2004 - 19:29 : kps
They create an account. They get a password by email. They select the
password plus the preceding blank or following newline. They paste it
into the 'Password' box. They can't log in. They write to me
complaining. I get tired of complaints and patch user.module to strip
leading and trailing blanks.
------------------------------------------------------------------------
October 20, 2004 - 19:39 : kps
Attachment: http://drupal.org/files/issues/user.module_0.patch (766 bytes)
I claim I'm not *really* dumber myself. Drupal timed out on me....
------------------------------------------------------------------------
October 20, 2004 - 20:02 : moshe weitzman
makes sense to me
------------------------------------------------------------------------
October 20, 2004 - 23:54 : rkendall
+1
FWIW - I could see this being useful, and don't really see any
practical drawbacks.
I does smell of hack, but is that really an issue? I mean, it might
not be the 'done' thing to mess with passwords, however, I can't
imagine any regular user intentionally putting leading or trailing
whitespace on a password, but I can imagine it being done accidentally
fairly often (either when setting a password, or when logging in).
To be consistent, it would make sense to trim passwords when setting
them as well.
------------------------------------------------------------------------
October 21, 2004 - 01:09 : Bèr Kessels
-1 from me.
I think we should nstart meddling with passwords by trim()ing them.
If you have dumb users, you should fix it in the mail that is send to
them. That is really easy. For example: add a word after the passwords:
your password is WKDKAFAJ34 please mind capital letters.
or so.
Bèr
------------------------------------------------------------------------
October 21, 2004 - 01:36 : Steven
I don't agree with Bèr... copy/pasting is a fiddly business, especially
because when pasting a password all you see is asterisks and you don't
notice if there is an extra character. Trimming the password won't
hurt, I very much doubt that there are people who consciously use a
space at the beginning or end of their password.
+1 on trimming, it is a usability improvement.
------------------------------------------------------------------------
October 21, 2004 - 01:51 : chx
+1 here. Bèr, if you write a sentence around it, you can still
copy-paste the whitespace before and after it.
------------------------------------------------------------------------
October 21, 2004 - 03:18 : Uwe Hermann
I'm unsure if I really like this, but if this really gets applied,
please make it a configuration option. Do not hardcode it for all
Drupal installations. Thanks, Uwe.
------------------------------------------------------------------------
October 21, 2004 - 07:06 : robertDouglass
+1
I can confirm from my logs that the typical user bungles initial login
1-4 times, with each bungled attempt making an all-out failure more
likely. Not only am I in favor of trimming, I am much in favor of
investigating other means of initial password assignment like on the
initial register form or by generating a unique URL that gets mailed
and only has to be clicked or pasted into the browser address bar.
Sorry if those alternatives have already been widely discussed here.
------------------------------------------------------------------------
October 21, 2004 - 08:21 : stefan nagtegaal
I am all for trimming the spaces in front of the username and after it,
but I am absoklutely against another option for such thing. IMO this is
only a usability improvement and it is not needed to make it a
configurable behaviour..
We have enough options already, and if you'll ask me I'll tell you that
we need less options instead of more..
------------------------------------------------------------------------
October 21, 2004 - 11:58 : Bèr Kessels
Admitted: no one will conciously add spaces to his or her passwords. So
i will pull out my -1 hereby.
but -1 for making ot an option. As steef syis: its useability.
I still stick to the -1 for applying this specific patch. I beleive
that we should be
1) consitant, and strip /all/ password whitespace.
2) use drupal_set_message() to warn people when whitespace was
stripped. And so to educate users to be aware of whitespace when
copying passwords.
------------------------------------------------------------------------
October 21, 2004 - 13:39 : kps
My proposed patch also strips white space when the user changes the
password, so it's not possible to create an unusable password.
I agree that a warning message would be a good idea.
------------------------------------------------------------------------
October 21, 2004 - 18:10 : Chris Johnson
Part of the problem with users copying and pasting extraneous whitespace
around passwords (or userrnames) is the inconsistent behavior in GUI
windowing environments. That is to say, in some applications in some
GUIs, double-clicking on a word will copy the word and its surrounding
white space, for example. In others, it will not.
One might think it would be visibly obvious that the surrounding white
space was included in the copy operation, but that's not so. The words
might be displayed in a very small, proportional font (and further might
be justified or kerned in unpredictable fashion) which make it hard to
see just where the highlighted copied text begins and ends. This is
under the control of the application and the user. Or, the user might
think logically that since all he or she wanted was the word, and
likewise that "whitespace" is irrelevant, the user may assume that what
was copied was only the desired word even if they can visibly see that
the adjacent spaces are highlighted.
I'm well aware of this behavior myself and even I sometimes get tripped
up when copying and pasting bits of data here and there by the
occasional undesired white space.
My vote would be to always trim leading and trailing white space, and
to document in the help that such white space is not valid in
passwords.
------------------------------------------------------------------------
March 13, 2005 - 20:25 : killes at www.drop.org
The patch still applies. Apart from Ber everybody liked it. I also like
it.
------------------------------------------------------------------------
March 14, 2005 - 15:42 : Bèr Kessels
"apart from Ber everyone liked it", so here a short comment:
I still beleive modifying what a user inserts should never be modified.
But the current situation is far worse, so I guess it *gets a +1* from
me now too :).
------------------------------------------------------------------------
March 15, 2005 - 20:03 : tangent
RE #11, if whitespace is not checked for in the password validation it
should be. Preventing whitespace from being used is preferable to
simply stripping it.
------------------------------------------------------------------------
April 29, 2005 - 21:18 : kps
Attachment: http://drupal.org/files/issues/password-trim.patch (951 bytes)
Patch against 4.6 attached.
------------------------------------------------------------------------
May 15, 2005 - 23:06 : jakeg
I am +10 for this... but so far have leading/trailing spaces been
allowed in passwords? If they have, then this causes an obvious problem
- users with existing leading/trailing spaces in their passwords will no
longer be able to login. You can't pull the password hash out of the
database and trim that... that's not how hashes work.
If leading/trailing spaces *have* been allowed in the past, then the
obvious work around would be: if someone tries to login and enters a
leading/trailing space and the login fails, ask them whether their
password has one. If it does, get them to reset their password then
choose a new one.
Of course you also have to ensure that when users setup new
passwords/edit their passwords the password hash is made from a trimmed
version of their password. You don't have to inform them that its been
trimmed. Its irrelevant to them. You just do it.
------------------------------------------------------------------------
May 16, 2005 - 11:51 : Bèr Kessels
Please note that chaging the title, affects the whole issue.
------------------------------------------------------------------------
May 16, 2005 - 14:43 : Cvbge
-1 in the current form
I'll +1 iff:
this is configuration option, off by default
if enabled adds a warning message in appropriate places
if enabled checks both trimmed and not trimmed password - this way
existing passwords with leading/trailing spaces will work
------------------------------------------------------------------------
May 16, 2005 - 19:01 : drumm
This should not be a configurable option. A significant portion of
Drupal site administrators will not understand such an option. I am
guessing the majority won't care. I think in cases like this we need to
decide that one way is clearly better and stick to it. I think that
trimming is the best thing to do since I've heard about this sort of
problem infrequently for the past year. It looks like current passwords
which begin or end with a space is a possibly statistically
insignificant problem.
------------------------------------------------------------------------
May 16, 2005 - 20:07 : Cvbge
This should not be a configurable option. A significant portion of
Drupal site administrators will not understand such an option.
Eh? How can someone not understand such simple option? Here, let me
provide you with a help message: (I have tried to be nice ;))
[x] trim passwords
If enabled spaces from begining and ending of user passwords are
removed. This is done because users sometime copy&paste passwords with
leading or trailing white spaces and can't log in. Enable if you have
many stupid users. Enabling this option is safe for you and your users.
If you don't understand what you just read then don't touch this
option.
------------------------------------------------------------------------
May 16, 2005 - 20:09 : Morbus Iff
-1 for yet another configuration option.
------------------------------------------------------------------------
May 16, 2005 - 20:15 : Cvbge
If you feel lost among lots of options then let's make a
super-hiper-advanced-don't-touch-you-have-been-warned page with many
nice but scary options...
This way both parties will be happy.
------------------------------------------------------------------------
May 16, 2005 - 20:21 : Morbus Iff
Super-hiper-advanced sounds like "edit the code yerself, bub" to me [g].
------------------------------------------------------------------------
May 16, 2005 - 20:23 : Kobus
> If you feel lost among lots of options then let's make a
> super-hiper-advanced-don't-touch-you-have-been-warned
> page with many nice but scary options...
> This way both parties will be happy.
+1 for the thread in general, and +1 for this. I am ALL for more and
more options, but with SENSIBLE default values, and hidden away to not
make the options pages cluttered.
If implementing this, maybe weighting opinions in general with this
discussion, get the general feel of a new option, and if it's
implemented, but not popular, move it away to the super-hyper-advanced
page.
Kobus
------------------------------------------------------------------------
May 16, 2005 - 20:37 : altano
-1 on configuration option. I agree a choice needs to be made on this
issue.
I don't like the idea of changing something the user enters without
telling them. Simply trimming their password at registration seems
silly.
I think that if a password has spaces in it, it should be rejected with
a proper error. Then, all login attempts can use a trimmed password.
More information about the drupal-devel
mailing list