Should whitespace characters be allowed in a password?
This SuperUser question might be relevant.
I think that your observation is accurate: many web-based systems accept only alphanumerics and a subset of symbolic characters (say, 0-9A-Za-z/_-!), but I think that this is simply historical convention. It may also be that programmers are used to the <space> character delimiting fields, rather than being found inside them.
There's also the issue of visibility: if you allow multiple consecutive spaces in a password, can the user easily count them? Might a system even collapse them into one (as unaided HTML would)? Can even a single space character be easily and quickly identified?
However, plenty of other types of systems do allow spaces in passwords. I'd probably still stray from them simply to help prevent user confusion (if people are indeed used to spaces in passwords being invalid, a password with a space in may be confusing to many), but there doesn't seem to be any technical reason not to allow them.
Related videos on Youtube
![PicoCTF Walkthru [67] - PW Crack 5 (PW Hashing, Dictionary based attack)](https://i.ytimg.com/vi/WkZNiTzBOoY/hqdefault.jpg?sqp=-oaymwEcCOADEI4CSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLAIrQ5VBG8hJGXMHqs2srvVOdgqNA)
08 : 20
11 : 59
01 : 07
02 : 31
05 : 23
08 : 41
03 : 21
16 : 34
29 : 14
04 : 54
03 : 13
17 : 45
07 : 22
05 : 26
02 : 08
tom
Updated on May 26, 2022Comments
-
tom almost 2 years
I've tried different sites/products and this seems to be split fairly evenly. Windows 7 and Gmail allow you to insert spaces in your password. Hotmail and Twitter do not.
While allowing spaces in a password increases the complexity of a password, it seems like many sites/programs do not allow them. Is there a good reason to allow/disallow spaces?
-
Lightness Races in Orbit about 13 yearsI'd dispute "practically unbreakable". 20 characters is ~160 bits (normally), and with a subset of characters allowed it contains less bits of information than that. That's not so much for a supercomputer to break in a wee while. It really depends on the use case, I guess. -
Rory Alsop about 13 years20 chars is still a challenge for a supercomputer. It all depends how short the "wee while" is in real terms! -
Rory Alsop about 13 yearsImproves the strength, but may break applications - white space is often used to delimit parameters.
-
Manfred Moser about 13 yearsI was talking about practically in terms of money. If you have a super computer to break a password and can run it for a few hours it better be a really important password..
-
Lightness Races in Orbit about 13 yearsThe strength isn't entirely relevant to the question of whether you should allow them.
-
Sámal Rasmussen over 7 yearsBoth space and tab are visible characters. Also if you use a password manager, as you should, then you would just copy-paste the password, and then anything goes. Any character is as good as any other.
