[qjz]

On a related note, one of the web sites I frequently use stripped all spaces from my password without notice before storing it on the server. So when I registered with a password like 'I am Sam', I found I could only log in using 'IamSam'. Any attempt to use the original password caused an error. I reported this to the site admin, and the solution they came up with was to silently strip the spaces from the password as it is typed into the form. Now I can type in 'I am Sam', but 'IamSam' is the actual password sent to the server. File this under '2 wrongs don't make a right'.

[elehack]

A while ago, Tracfone's web site had a rather disappointing bug. Both the account registration and login flows did password validation, and used different validation functions. The result was that I could create an account with a password containing special characters that the authentication system would reject as containing invalid characters (and therefore not even try to verify against my stored password/hash).

Moral: account registration and authentication must use the same password normalization functions, and if you validate at auth time (which is pointless, but hey), the validation function must be the same as the registration one.

Better moral: just don't do silly things with passwords. Encrypt them and store them, accepting whatever the user wants to send you that's sufficiently long/high-entropy.