id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
26334	django.contrib.auth forms shouldn't strip whitespace from password fields	juristi	Vincenzo Pandolfo	"I upgraded an existing site to Django 1.9. The new CharField strip functionality that is turned on by default now strips all white space from the beginning and the end of the passwords, which prevents affected users from logging in with their correct password. The users must use the password recovery functionality to be able to log in again.

An example:
Django 1.8 site has a user with password "" aaa "", which is stored in db.
Site is upgraded to Django 1.9
AuthenticationForm now tries to log in user with password ""aaa"" instead of the correct one.

Also stripping the input text may cause users to have less secure passwords than they think.

All password fields in django.contrib.auth should add strip=False to their arguments.
"	Bug	closed	contrib.auth	1.9	Release blocker	fixed			Accepted	1	0	0	0	0	0