Spec doesn't mention password quotes
Section 5.1 of the control-spec  provides a nice description of authentication, but doesn't mention how to handle quotes in the password. Unsurprisingly controllers are expected to provide escaped quotes...
atagar@morrigan:~$ tor --hash-password "this has a \" in it" 16:E6DC1BCEDF55EDCA607ADDB8781795772E42AAC75F7B7630B6227232E4 atagar@morrigan:~$ telnet localhost 9051 Connected to localhost. AUTHENTICATE "this has a \" in it" 250 OK
I'm gonna guess that only quotes should be escaped by controllers.
I've been finding it a little frustrating to figure out when and what escaping is expected so I'm generally working from the assumption that I should ignore escaping unless specifically called out by the spec (like it is for authentication cookie paths, though that wasn't enough to work from alone ).