[Cryptography] Spaces in web passwords
Chris Tonkinson
chris at masterbran.ch
Sat Jun 21 15:13:09 EDT 2014
> I'm baffled as to the threat model. We're supposed to use symbols, aren't
> we, so what's wrong with a blank? Are their backends really that broken,
> or are spaces susceptible to some obscure attack, or what?
The only "legitimate excuse" for this is a backend infrastructure
which given such a limitation is - by definition - vulnerable to some
form of injection. I'd love to see the following model gain popularity:
The "strength" of the attempted password is not directly based on
length or character set, but rather actual probablistic complexity is
calculated from same and a target complexity is set as the metric for
acceptability, not directly "8 characters with an upper case and a symbol."
Assuming proper hashing on the server - another topic entirely - the
passphrase: "airspeedvelocityofanunlaidenswallow" is provably orders of
magnitude (approximately 34, to be exact) more resistant to brute force
than "Monkey1!" yet the former would be rejected by many systems which
would happily accept the later - probably with a complimentary green bar
provided by some jQuery plugin.
-Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140621/b13c8335/attachment.sig>
More information about the cryptography
mailing list