[Cryptography] Spaces in web passwords

Bill Stewart billstewart at pobox.com
Sat Jun 21 23:26:34 EDT 2014


At 02:20 PM 6/21/2014, Perry E. Metzger wrote:
>I think that's all a rationalization at best. I suspect there is, in
>fact, no reason other than someone being silly when they put in their
>validation code. I've been in plenty of meetings about related topics
>in large organizations and I've never heard anyone bring such things up.

There are characters that frequently get mangled,
either because they're used as a delimiter,
or because something tried to interpret them specially, or whatever.
If you really really know the password is only going to be input into 
one program,
and nothing's going to mess with it at all, fine, allow spaces,
but if you expect that a password is going to get handled by CGI, a database,
and a Unix or MS-DOS shell, and PHP and perl, and cut&pasted by various things,
and some application that tries to map characters to web-safe forms, 
like \\\0x20 or U+0020,
there are lots of opportunities for at least one of them to break the 
space character,
then you just know it's going to be handled wrong by somebody,
leading to a customer service call because some software you're not 
aware of munged it.
You're probably safer not allowing it, or at least documenting that 
you don't allow it,
even if you actually do.
You're probably also not going to allow carriage-return or line-feed,
and you probably won't have to disallow tab because browsers will 
prevent that.



More information about the cryptography mailing list