[Cryptography] Spaces in web passwords
ianG
iang at iang.org
Sat Jun 21 13:20:28 EDT 2014
On 21/06/2014 16:51 pm, Dave Horsfall wrote:
> Somewhat crypto-related, I think...
Costs of crypto, yes.
> More and more, I'm seeing web forms that do not accept spaces in
> passwords. One response is to ignore them completely, and another is to
> say outright that spaces are not permitted.
>
> I'm baffled as to the threat model. We're supposed to use symbols, aren't
> we, so what's wrong with a blank? Are their backends really that broken,
> or are spaces susceptible to some obscure attack, or what?
It's not a technical problem but a human/economics problem. People
don't recall when they typed a space. Spaces are hard to write down.
Spacekeys are more likely to bounce than others. Some software decides
to trim spaces. Or add spaces. Or change over to that other form of
space, the tab. Or UTF.
So, because spaces tend to cause password problems, they cause more
headaches. We can solve headaches at the support desk by ... banning
spaces.
In some services businesses, the entire cost is ... the number of
support calls per user. Lost password is typically the leading #1
support call, which is why there are so many automated password
replacement services/ideas.
iang
More information about the cryptography
mailing list