Open Stack

Folks,

I believe the password value should never ever be modified, that
includes space stripping.

Albert wrote:
> Passwords should not contain leading/trailing spaces

Strong claim. I think it's clumsy if they do, but still a password is
a password :-)

Albert wrote:
> it is usually because of a paste error

I agree here, I rarely see people willing to have trailing spaces in
their passwords.
UI/UX-wise people should be allowed to peek at their password as they
are entering it (to validate its correctness).
Also, it's the very reason why password change form has you to repeat
the new password (and sometimes even blocks any copy-pasting which is
actually bad UI/UX because it cripples password managers).

Akihiro wrote:
> Django AuthenticationForm does not strip an input password

Which is how it should be.

Akihiro wrote:
> Other usages of CharField may assume the default behavior.

Indeed, one should modify horizon, not django, here.

Sorin wrote:
> This kind of feature must always be implemented in the client (browser)

Well, it can (and is in this case) also be implemented on the server
side (by horizon/django here).

Sorin wrote:
> no server side API should ever try to “sanitize” a password string.

Sanitization is always performed to avoid SQL injection and alike.

-yoctozepto