[Cryptography] Spaces in web passwords
Perry E. Metzger
perry at piermont.com
Sat Jun 21 17:20:05 EDT 2014
On Sat, 21 Jun 2014 18:20:28 +0100 ianG <iang at iang.org> wrote:
> On 21/06/2014 16:51 pm, Dave Horsfall wrote:
> > More and more, I'm seeing web forms that do not accept spaces in
> > passwords. One response is to ignore them completely, and
> > another is to say outright that spaces are not permitted.
> >
> > I'm baffled as to the threat model. We're supposed to use
> > symbols, aren't we, so what's wrong with a blank? Are their
> > backends really that broken, or are spaces susceptible to some
> > obscure attack, or what?
>
> It's not a technical problem but a human/economics problem. People
> don't recall when they typed a space. Spaces are hard to write
> down. Spacekeys are more likely to bounce than others. Some
> software decides to trim spaces.
I think that's all a rationalization at best. I suspect there is, in
fact, no reason other than someone being silly when they put in their
validation code. I've been in plenty of meetings about related topics
in large organizations and I've never heard anyone bring such things
up.
That said, I've seen mighty insane and arbitrary password policies
created -- some of them have the feeling of cargo cult or voudon
origins. None, however, that I can recall mentioned spaces, though
that might also just be my poor memory.
Perry
--
Perry E. Metzger perry at piermont.com
More information about the cryptography
mailing list