django.contrib.auth forms shouldn't strip whitespace from password fields
|Patch needs improvement:
I upgraded an existing site to Django 1.9. The new CharField strip functionality that is turned on by default now strips all white space from the beginning and the end of the passwords, which prevents affected users from logging in with their correct password. The users must use the password recovery functionality to be able to log in again.
Django 1.8 site has a user with password " aaa ", which is stored in db.
Site is upgraded to Django 1.9
AuthenticationForm now tries to log in user with password "aaa" instead of the correct one.
Also stripping the input text may cause users to have less secure passwords than they think.
All password fields in django.contrib.auth should add strip=False to their arguments.
Change History (5)
comment:1 by , 8 years ago
|Normal → Release blocker
|django.contrib.auth forms strip password fields → django.contrib.auth forms shouldn't strip whitespace from password fields
|Unreviewed → Accepted