Comment by cgriswald

> Please, just apply password rules everywhere consistently.

This would honestly fix all of it, without even needing to communicate information about how passwords are handled. Although, I think those rules should be communicated as well, so users can make good choices about password security. If spaces are removed, that lowers entropy and users may want to add additional characters or restrict spaces in their password generator.

It may not be easy. You might have dozens of different client applications with different requirements or abilities. But it is simple: Figure out your best practices and your lowest common denominator. Then apply those rules to every password every time in every context.

Alternatively, if you have clients which (for whatever reason) need a special case, create a separate hash for that special case and then use that only for that client. (Likely, this will reduce the overall security of the account, but if this is your lowest common denominator, allowing other clients to have greater security certainly doesn't hurt you.)