Should users be allowed to entered a password with a space at the beginning or end? [closed]

Question

Should users be able to enter a password such as " 12345" or "12345 " – a space at the beginning or end? Or would you trim the password to remove the leading or trailing spaces because it may just a typing error.

Answer 1

Yes, they should.

• It annoys me to no end when people decide how my password should behave especially when it's nonsensical. I would like more than 8 characters please.
• You should be hashing the password, so maximum character lengths and spaces at the end don't matter.

No, you should not trim it.

• You require a user to enter the password twice (when creating it) to eliminate typing errors. Therefore a space doesn't matter.

Answer 2

Let me tell you a story.

I needed to create an account on an ecommerce site, so I ran my random password generator to make an 8 character upper/lower/number/punctuation password, pasted it in twice to confirm it, finished registering with all of my personal information, and saved the random password in a local PGP-encrypted file for later use.

Later on I tried logging in, but pasting the password again didn't work. After a bit of testing, I was horrified to find that the site had stripped out all punctuation marks from the original password, in some misguided attempt at sanitization, reducing my password to three easily brute forceable letters.

DON'T trim or sanitize users' passwords.