[Cryptography] Spaces in web passwords
Perry E. Metzger
perry at piermont.com
Sat Jun 21 17:41:18 EDT 2014
On Sat, 21 Jun 2014 17:00:36 -0400 "Kevin W. Wall"
<kevin.w.wall at gmail.com> wrote:
> This whole "ignoring whitespace in passwords" goes back probably at
> least a dozen years.
>
> One such "backend infrastructure" is RSA Access Manager (fka,
> ClearTrust).
[...]
> We contacted RSA customer support and they explained to us that this
> was a "feature" (and one that couldn't be disabled) added because
> some of their client customer organizations had configured Access
> Manager to store passwords as cleartext in their custom DB and some
> of those companies simply chose to have the "forgot password" use
> case email the user back their current password.
>
> As it was explained, apparently RSA had gotten so many complaints
> about the passwords that were emailed back (via custom written code
> mind you) that the passwords were not working. Turns out some of
> those users were simply doing a copy-and-paste from their MUAs into
> a web form and the 'copy' did not select the unseen trailing
> whitespace in the email and since it wasn't visible, the users
> didn't know / remember it was there. (Who knows? It may have even
> been why they forgot their password.)
Neat! They had to "fix" the product to accommodate people who wanted
to use it insecurely!
I would, sadly, be lying if I claimed not to have experienced this
particular form of brain damage before.
Perry
--
Perry E. Metzger perry at piermont.com
More information about the cryptography
mailing list