Allowing Spaces in Username/Password
 

I'm on a coldfusion server and one of the biggest issues with login problems with clients is that, when they copy and paste login information down, they copy spaces with it too. Then a lot of time gets wasted trying to figure out why they can't login.

So I thought about allowing whitespace characters with login so this issue would be resolved once and for all. I checked some major sites and they do not accept it, but google seems to accept whitespace characters.

Does anyone see any security issue to this?

If not, how do you think I should code the TRIM value for the username/password in the form login, so that before the page hits the database to check for a match on the username/password, it would remove the whitespace characters the person would enter.

As far as what I need accomplished, basically the ability to accept spaces entered before or after the username and password.

There's no real security issue that I know of with allowing white space in a username or password, as long as you have the proper code on the backend to avoid SQL injection attacks. That includes either calling a stored procedure to access the database, or using <cfqueryparam> tags in direct SQL (with <cfquery>).

I personally use trim() for usernames and passwords, both when they are creating them, and when they are using them. When copying from MS word, a web page, or some other programs, a little white space can automatically be copied as well. However, people won't realize this in a password field which just shows **********.

This is pretty much my query to check a username/password:
However if you do want to accept white space before and after, then just don't run trim() on the values that are provided to the database.

Hope that helps.

-Greg