Personal question...
Do you "trim/remove" whitespaces from your user's password?

Why or Why not?

No. Whotespace is there on purpose.

Why would you? The only time you actually process it is for getting the hash from your user's password plus your salt.

Never ever modify a user’s password.

I've came across an article one time where the author explained how companies like FB make variations of user password to assist forgetful users leading to lesser count of password reset.

The logic for example:
A password like => "MyNewP@sswoRd";
----- Results in Variations ------
=> "MyNewP@ssword"
=> "myNewP@sswrd",
=> "MynewPassword"

Facebook makes variations like above though not specific, and these variations are used during validation of credentials on the user's trusted (most used) devices when the main password is wrong.

No, but I sometimes force lowercase the first letter because mobile keyboards are retarded. But you should pass the password more or less directly to a hash function.

I don't think I should touch the password at all and treat it like a binary blob that just gets used in a hash function somewhere

The only thing that I can imagine doing is blacklisting certain unicode characters, but then again if you put an emoji in your password you're asking for it to break.

@GiddyNaya what in the fuck ? To when I’m brute forcing, with one attempt I actually try a handful of passwords ? Or is it displayed to the user “hey, maybe try one of those instead” ?

@dder If you mean the Facebook implementation... Brute forcing is of no use since your machine is not a trusted device.

If your password rule is to not allow whitespace then you alert the user to change the password once whitespace is there.