[Cryptography] Spaces in web passwords
John Ioannidis
ji at tla.org
Sat Jun 21 15:11:54 EDT 2014
On Sat, Jun 21, 2014 at 11:51 AM, Dave Horsfall <dave at horsfall.org> wrote:
> Somewhat crypto-related, I think...
>
> More and more, I'm seeing web forms that do not accept spaces in
> passwords. One response is to ignore them completely, and another is to
> say outright that spaces are not permitted.
>
> I'm baffled as to the threat model. We're supposed to use symbols, aren't
> we, so what's wrong with a blank? Are their backends really that broken,
> or are spaces susceptible to some obscure attack, or what?
>
> Amongst others, I've got mygov.gov.au and appleid.apple.com on this shame
> list.
>
> -- Dave
I don't know about mygov.gov.au, but Apple's ID page has been designed by
monkeys. They also don't accept perfectly valid email addresses (try, e.g.,
a at example.com or foo+apple at example.com for your value of example .com).
Then they have the whole "security questions" junk. Am I to believe that if
they couldn't get the front-end right, they would have gotten the back-end
right, which is a lot harder?
/ji
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140621/1e72328a/attachment.html>
More information about the cryptography
mailing list