Tag: trim

Should you trim passwords?

A question I see asked from time to time is whether or not web sites should trim passwords on account creation and login. More often than not the typical responses show both a complete lack of understanding of what "trim" even means from people who should know better, and a lack of understanding that not every user is Dade Murphy after he just got in from grindin' some serious hand rails. Though not everyone has their head up their ass or argues from a position of complete ignorance.

So consider:

  • Trim means to remove white space from the beginning and end of a string, not the center.
  • Even if you don't email passwords or display them anywhere, users will still copy/paste them to each other and various places and often this will add a space or \n to the end of the string.

A few things are clear to me based on my experience and reading what others had to say about it:

  1. People who are against trimming passwords either don't know what trim means, or think everyone else understands and uses simple security protocols like not saving passwords in word processors
  2. People who are against trimming passwords probably have never had to deal with real users or customers, and probably are some shitty wanna be Richard Stallman with more than slightly high expectations of what users can and should be able to do
  3. Users should be allowed to have spaces within the string itself, but not on either end, in order to save your support people (and possibly yourself) a lot of headaches
  4. People who are against it assume that if there's a space it's because a user intended it, but how many people actually put spaces at the end of passwords? Basically fucking nobody.

So it's simple: users should be able to use any characters they want in a password, but the password should be trimmed at both create and login. There's also no reason to warn people that passwords are trimmed, again because nobody understands what the fuck this means, even apparently technical people. We know from massive lists of cracked and leaked plain text passwords that nobody uses spaces at the end of passwords, not even keyboard cowboys who give bad advice on Stack Overflow.

Trim away my friends, don't listen to people who probably don't even have clients.