[Cryptography] Spaces in web passwords
Bill Stewart
billstewart at pobox.com
Sat Jun 21 23:26:34 EDT 2014
At 02:20 PM 6/21/2014, Perry E. Metzger wrote:
>I think that's all a rationalization at best. I suspect there is, in
>fact, no reason other than someone being silly when they put in their
>validation code. I've been in plenty of meetings about related topics
>in large organizations and I've never heard anyone bring such things up.
There are characters that frequently get mangled,
either because they're used as a delimiter,
or because something tried to interpret them specially, or whatever.
If you really really know the password is only going to be input into
one program,
and nothing's going to mess with it at all, fine, allow spaces,
but if you expect that a password is going to get handled by CGI, a database,
and a Unix or MS-DOS shell, and PHP and perl, and cut&pasted by various things,
and some application that tries to map characters to web-safe forms,
like \\\0x20 or U+0020,
there are lots of opportunities for at least one of them to break the
space character,
then you just know it's going to be handled wrong by somebody,
leading to a customer service call because some software you're not
aware of munged it.
You're probably safer not allowing it, or at least documenting that
you don't allow it,
even if you actually do.
You're probably also not going to allow carriage-return or line-feed,
and you probably won't have to disallow tab because browsers will
prevent that.
More information about the cryptography
mailing list