[Cryptography] Removal of spaces in NIST Draft SP-800-63B

Arnold Reinhold agr at me.com
Sun Apr 2 00:39:33 EDT 2017



Sent from my iPhone

> On Apr 1, 2017, at 6:48 PM, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
> 
>> On Thu, Mar 30, 2017 at 9:52 AM, Arnold Reinhold <agr at me.com> wrote:
>> I filed a comment (#679) on NIST Draft SP-800-63B “Digital Identity Guidelines” urging removal of the provision in Section 5.1.1.2:  “Verifiers MAY remove multiple consecutive space characters, or all space characters, prior to verification provided that the result is at least 8 characters in length.” since it can reduce password entropy for no good reason. I’d be curious to know if anyone can figure out how that got in there in the first place. My comment is here:
>> 
>>   https://github.com/usnistgov/800-63-3/issues/679
> 
> Good feedback, with which I agree completely. Just speculation as to
> how it may have ended up there. Lots of times passwords / pass phrases
> get emailed to clients (especially, initial passwords or in case of
> password resets from a "forgot password" flow). In such cases, users
> frequently copy-and-paste passwords from email into the login form.
> The problem is that MUAs can compress consecutive spaces or (more
> common) any beginning or trailing spaces are not copied by a double
> mouse click.
> 
> I don't like it any more than you, but it seems that it saves a
> significant amount of help desk calls so it is pretty common in
> industry. Not sure if that was NIST's reasoning or not, but it seems
> plausible.
> 
> -kevin
> --

What you suggest may make sense in an historical context, it's the best explanation I've heard so far, but sending clients their password requires that the computer service provider store the plaintext password, which is bad practice and is totally prohibited by the NIST 63B draft. So it's not a justification for space elimination being allowed in 63B. 

Arnold Reinhold 


More information about the cryptography mailing list