[Cryptography] [FORGED] NIST SP 800-63-3
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Tue Aug 15 08:05:18 EDT 2017
Arnold Reinhold <agr at me.com> writes:
>“To make allowances for likely mistyping, verifiers MAY replace multiple
>consecutive space characters with a single space character prior to
>verification, provided that the result is at least 8 characters in length.”
>
>That’s a lot better than the original text, which allowed total removal of
>space characters, though I would like to see evidence that adding extra spaces
>is a “likely mistyping.”
If you've ever had to do friends-and-family support for Windows, particularly
for older people, you'll have noticed that random spaces added to the start
and end of filenames aren't uncommon. It's most visible in that case because
it perturbs the natural sort order of filenames, but it's bound to be present
in other locations as well. In the specific case of passwords I've caught
several occurrences of "my password doesn't work any more" that involve a
spurious space at the start or end.
So if the space-mangling also includes stripping spaces at the start and end,
it seems like sensible advice, because every time I've encountered those it's
been due to mistyping, and since they're invisible there's no way for non-
geeks to spot the problem.
Peter.
More information about the cryptography
mailing list