[Cryptography] Removal of spaces in NIST Draft SP-800-63B
Kevin W. Wall
kevin.w.wall at gmail.com
Sat Apr 1 18:48:09 EDT 2017
On Thu, Mar 30, 2017 at 9:52 AM, Arnold Reinhold <agr at me.com> wrote:
> I filed a comment (#679) on NIST Draft SP-800-63B “Digital Identity Guidelines” urging removal of the provision in Section 5.1.1.2: “Verifiers MAY remove multiple consecutive space characters, or all space characters, prior to verification provided that the result is at least 8 characters in length.” since it can reduce password entropy for no good reason. I’d be curious to know if anyone can figure out how that got in there in the first place. My comment is here:
>
> https://github.com/usnistgov/800-63-3/issues/679
Good feedback, with which I agree completely. Just speculation as to
how it may have ended up there. Lots of times passwords / pass phrases
get emailed to clients (especially, initial passwords or in case of
password resets from a "forgot password" flow). In such cases, users
frequently copy-and-paste passwords from email into the login form.
The problem is that MUAs can compress consecutive spaces or (more
common) any beginning or trailing spaces are not copied by a double
mouse click.
I don't like it any more than you, but it seems that it saves a
significant amount of help desk calls so it is pretty common in
industry. Not sure if that was NIST's reasoning or not, but it seems
plausible.
-kevin
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
More information about the cryptography
mailing list