Why do generated passwords start/end with spaces?

If wp_generate_password() was called with the third parameter $extra_special_chars = true a space might be part of the password:

function wp_generate_password( $length = 12, $special_chars = true, $extra_special_chars = false ) {
    $chars="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
    if ( $special_chars )
        $chars .= '!@#$%^&*()';
    if ( $extra_special_chars )
        $chars .= '-_ []{}<>~`+=,.;:/?|';

    $password = '';
    for ( $i = 0; $i < $length; $i++ ) {
        $password .= substr($chars, wp_rand(0, strlen($chars) - 1), 1);
    }

    // random_password filter was previously in random_password function which was deprecated
    return apply_filters('random_password', $password);
}

There are three other possibilities how spaces can find a way into passwords:

  1. The email client applied some broken formatting to the message.
  2. A plugin filters the password and adds the space.
  3. A plugin defined the function before WP did it (it is a pluggable function) and allowed spaces.

Search all installed plugins for password. Ask your users what email client they are using. To prevent spaces before or after WP generated passwords add a filter:

add_filter( 'random_password', 'trim' );

Note that WordPress does not send passwords with spaces to users by default. There is probably some other code involved.

Related Posts:

  1. Get plain password on register
  2. Is it possible to have users register without having a password?
  3. wordpress redirect after password reset
  4. Password protecting a page
  5. How to save Admin FTP password
  6. How to let user set password on registration
  7. Bypass password protected posts via GET variable
  8. Duplicate hash method for password in .NET
  9. Hide password protected posts
  10. Safe to store SMTP password in wp-config.php?
  11. Access code/password only restricts page access, no user registration..?
  12. PasswordHash not found in namespace
  13. Force all users in MU to change their passwords
  14. How to customise wp-login.php only for users who are setting a password for the first time?
  15. Check Password Reset Key Not Woking
  16. Reset password – set minimum length for new password
  17. How to shorten length of auto generated password sent during registration?
  18. Lost password link is redirecting to /shop/my-account/lost-password/
  19. WordPress: force users to change password on first login
  20. Can’t login to wordpress despite changing password to something known directly in MySQL or using “Password Reset by Email” feature
  21. Change default recovery link expiration time
  22. Lost password link redirects to my-account/lost-password/,how to fix it back to default lost password
  23. Set content type to HTML for lost password email only
  24. Where is the reset password key stored/generated?
  25. Password field (and confirmation) showing up twice on registration
  26. How validate usernames/passwords against WP’s database?
  27. Is there any good tutorial to write custom login, registration and password recovery forms? [closed]
  28. Make post password required to publish
  29. Add error message on password protected pages
  30. User password field is empty
  31. post_password_required() not recognizing cookie set with correct password
  32. Is there a maximum length to user passwords?
  33. Password protect the site (without htaccess or membership)
  34. Password Protected page not asking for a password
  35. Which hook should I use to capture $_POST(‘password’) via profile update and password reset
  36. Invalid key on activation and password reset
  37. I would like to password protect my entire WordPress site (ip validated), except for one page
  38. Custom login form for front-end user as well as admin
  39. how to remotely check a username / password from within a plugin
  40. Password changed [duplicate]
  41. How to get user password before being encrypted outside the wordpress core once add a new user from dashboard?
  42. Correct passwords keep appearing as incorrect
  43. Can i add password field into my wp registration form?
  44. Custom password form allows unlock two posts with the same password
  45. How to change password
  46. Custom Front End Registration – How Does the Key work in the Password Set Request?
  47. password recovery key is invalid on custom reset
  48. Password Protected Post is invisible until you login
  49. Send password to user instead of reset password link
  50. Protect Passwords in wp_users with stronger protection than MD5
  51. How secure is a wp-config file?
  52. How to check user’s password?
  53. How to Remove or Deactivate “Application Passwords” in WordPress
  54. What’s the algorithm to verify user password?
  55. How to change “Reset Password” text on submit button
  56. resend user login & password with custom button
  57. Send clear password via mail
  58. How to show my wordpress admin username & password?
  59. Why does hashing a password result in different hashes, each time?
  60. Can’t alter $lostpassword_url
  61. How to read third party cookie to access password protected pages
  62. Ask logged in user to re-enter password to access page “x”
  63. Password protected sites
  64. Front-end registration form with password field
  65. 2 accounts under same email preventing me from loging in
  66. How would I create a Password Protected Page with Content on it?
  67. Site only for users authenticated by different PHP application
  68. wordpress custom password change problem
  69. Allow all reset password links within the past 24 hours to be valid and accepted
  70. WooCommerce Lost Password reset goes to 404
  71. Wrong activation/confirmation link in email
  72. Send user auto generated password on different email
  73. I need help with wp_lostpassword, wp_register and wp_login_form
  74. Create Member who can’t be changed
  75. How to invalidate `password reset key` after being used
  76. I can’t recover my password
  77. $expiration_duration = apply_filters( ‘password_reset_expiration’, DAY_IN_SECONDS );
  78. Frontend custom forgot password page
  79. Password Protect content() on homepage
  80. Function called by password_reset action passed only 1 argument instead of 2 in PHP 7.2.11
  81. How to set password from frontend if have activation key and user login in url in wordpress?
  82. Allow users from my ASP.Net MVC site to access my private WordPress site
  83. Create password protected page, no registration
  84. How to call or add password input / generate password / password strenght meter in custom registration form?
  85. WordPress Protected Page Redirects to PDF
  86. Bypass a WordPress Password Protected Post or Page via a URL
  87. Custom page password recovery
  88. Chosen user password in registration is not being accepted on Login
  89. Can I use core passworded page/post functions outside of wp-login.php?
  90. Is it possible to display newly generated password after wp_generate_password()?
  91. forgot password
  92. Mail function not working with user accounts
  93. mysql update user’s password and activation key
  94. Password Protection for posts and pages [duplicate]
  95. WordPress reset password button not working
  96. Override the default password length when creating or updating a user profile
  97. Why can’t I create an Application Password?
  98. ‘random_password’ filters not taking effect
  99. Change password reqts with NO plugin without breaking resetpass link?
  100. Bypass a WordPress Password Protected Page via url

Leave a Comment