[Cryptography] Spaces in web passwords

Jerry Leichter leichter at lrw.com
Sat Jun 21 15:04:11 EDT 2014


On Jun 21, 2014, at 11:51 AM, Dave Horsfall <dave at horsfall.org> wrote:
Somewhat crypto-related, I think...
> 
> More and more, I'm seeing web forms that do not accept spaces in 
> passwords.  One response is to ignore them completely, and another is to 
> say outright that spaces are not permitted.
> 
> I'm baffled as to the threat model.  We're supposed to use symbols, aren't 
> we, so what's wrong with a blank?  Are their backends really that broken, 
> or are spaces susceptible to some obscure attack, or what?
I'd guess this has nothing to do with cryptography and everything to do with human information processing.  Spaces are not generally considered significant in human communication.  Theyareaconveniencewhichcanbedispensedwith.  Yes, reading that sentence required some effort, but you could figure it out.  Sure, syntactically I might have meant "They area convenience" but you never seriously considered that possibility, did you?

Even where spaces are genuinely needed for disambiguation, humans are unlikely to notice or response to leading or trailing spaces, or doubled spaces within the text.  This is especially so when using a variable-width font (i.e., most fonts) where it's impossible to distinguish one from two spaces with any degree of certainty.  In typography, "space" isn't really a character....

I'd guess these organizations just got tired of support calls caused by people who accidentally entered a leading or trailing space (it's very natural to hit the space key after typing a "word"), or were too clever by a half and created a secure password with embedded spaces and then couldn't remember - because this generally is not significant information - just where they put that space.

Whether to simply ignore spaces, or forbid them, is an interesting question.  On a purely theoretical basis, you could argue that ignoring any characters in a password is bad practice.  But on a human interaction basis, it may well be an excellent idea:  People can remember phrases with about as many words as they can remember "single word" passwords with that many letters.  But they are likely to have trouble typing them with consistent spacing, or with consistent *lack* of spacing.  So suggesting they use a phrase and then ignoring the spaces may well result in better passwords over all.

It would make for an interesting study.
                                                        -- Jerry
 


More information about the cryptography mailing list