Never "clean up" a password simply to account for "typing mistakes". This will confuse users and in some cases make it impossible for them to login. In fact, don't ever change a password behind a user's back...always warn them that a password is invalid and let them try a new one.

A good example that I recently ran into was with a 3Com switch. The web interface allowed me to change the admin password, but didn't warn me that the password was limited to eight characters. I entered a password that was longer than eight characters. When I tried to login after the change, it simply rejected my password. If I only used the first eight characters, however, I was able to login (trial and error on my part, not fun).

Passwords these days don't look the way they used to. For instance, my passwords often look like this:

Man, this program is really ticking me off!

You should validate the password with a confirmation field anyway. If they make the typo twice - then you hopefully have a forgot password or a reset feature in place.

The space shouldn't matter as you shouldn't be storing it in plain text.

I've been to a conference more than once where someone logged in to their account for a demo after the computer display was already up on the big screen, didn't change focus to the password field correctly, and thus their password was revealed to the entire audience.

Anyone who might have to enter credentials in front of others should consider keeping a trailing space or three in their password, just in case. And when building authentication systems, you should never trim those spaces.

I'm voting for: No, they shouldn't:

There's a big benefit for not allowing users to use spaces at the beginning and end of passwords and that's simply that it eliminates the problem which often arises when a user copies and pastes their password (e.g. from an email) and it includes white space which isn't part of the password.

The user then gets frustrated, thinks the system is broken and contacts support. A developer is promptly pulled onto the project to check the "buggy" login process only to spend a day pulling out his/her hair until he/she realises the problem.

I think enforcing this policy when creating a password solves more problems than it creates.

Yes, they should.

• It annoys me to no end when people decide how my password should behave especially when it's nonsensical. I would like more than 8 characters please.
• You should be hashing the password, so maximum character lengths and spaces at the end don't matter.

No, you should not trim it.

• You require a user to enter the password twice (when creating it) to eliminate typing errors. Therefore a space doesn't matter.

Space is a regular password character, and you shouldn't remove it.

Since you probably hash the password before storing it in the database, the space will be treated as any other character.