Users should be able to use spaces in their password. I like to you 16 randomly selected words to make a reasonable password. However, when I try to use a space between the words I get an arbitrary restriction saying “Passwords cannot contain spaces.”
I don’t think I’ve ever tried to put a space in a password anywhere.
Isn’t it normal to not be able to put spaces in them, or do other apps let you do it?
Spaces in passwords are pretty standard, yes.
Fair enough then
I’ll try to investigate whether there’s a legitimate reason to forbid spaces or whether we can drop that requirement safely. With password generation techniques like Diceware getting increasingly popular any eventual reason to forbid spaces in passwords is clearly not due to (un)security.
Password OR Passphrase
There is a difference.
Personally I think that passwords should not support spaces, and frankly have never heard of anything (other than perhaps Windoze stuff?) allowing spaces in a password.
Passphrases by nature should allow spaces, OF COURSE.
MiaB uses passwords, not passphrases.
Gmail and Linux support spaces in a password
what would be funny would be to silent strip the spaces out of a password.
Could be easily verified of course (tried out the phrase with some whitespace padding) but security wise it shouldn’t be the end of the world as a solution to fix immediate problem (if it really is a problem???)
I have done some testing and it looks to me that within Mail-in-a-Box, there are no issues in allowing spaces.
I have digged The Internet™ about this case, and of course this is one of those topics where opinion tends to rule.
Here’s a compilation of arguments presented not to allow spaces:
- Adding a space at the end or start of the password is most likely a typo
It could also be intentional. That’s why on most signup pages you’re asked to type your password twice.
- When sending passwords to users, it’s hard to distinguish “xyyz” vs "xyyz "
You shouldn’t be doing that anyway.
- Spaces sound differently than other keys (in the majority of the keyboards) - if anyone is spying you it’s easy to recognize that a given password contains spaces, how many and how long each word is.
Fair enough… but I guess that the chances of anyone actually going after you passwords like this is diminute.
- Improperly implemented password checkers/programmers’ laziness/whatever
At this point all we need to do is to hash the password. Hashing algorithms do not care for encoding or whatever you actually need to do.
This will cause more harm than good.
If you only trim when registering the user, then the password the user gave will not work.
Even if you trim whitespace both at registration-time and login-time, this means that there is no longer only one password able to access the account. That’s not good.
To be fair, the line between them only lies at 1 word vs multiple words. In theory the distinction is well-defined, but in practice the difference is a very blurry line to the point one would rather use these terms interchangeably.
Yeh I don’t think trimming whitespace is a sensible long-term solution; but on the security piece; if the underlying password/phrase is strong then the inclusion/lack whitespace isn’t going to fundamentally change the picture.
On a more serious and tangential side note - on windows; copy-paste strings out trailing spaces. I mention because I usually use copy-paste for complex passwords and I was a bit worried about having a space at the end messing things up (exactly for the reason mentioned about how trailing whitespace presented to the user is easy to miss). But I realised that windows always removes spaces at the end does what I expect almost all of the time (ie; copying in from same source to password field always works; when I type by hand (w/o the space) it works as well)
It’s actually quite dangerous… Likely not in any scenario where online-attacks are the threat and you can introduce rate limiting or lockout periods, but it’s a terrible practice nonetheless.
For example though, for users using plaintext passphrases, if any of their words become compounds, you significantly reduce the keyspace. If you pick 6 random words from the diceware list you get 77 bits of entropy (log2(7776^6)). If the passphrase you picked was an exceptionally unlucky “basket ball finger print shuffle board”, and you strip spaces, your password is now log2(7776^3), or 38 bits of entropy, which is effectively a 100% decrease in complexity (99.99…%).
Not exactly the scenario you’re saying (I think this is going to be a crazy edge case, shoulder surfing to remember sounds), but knowing the length of a password doesn’t significantly reduce the security of it. If you know a user’s password is n characters, all that means is you ignore anything n-1 characters. You’re still going to need to guess all of the n character combinations, which almost always comprise 99% of the keyspace.
Say for a 12 character uppercase, lowercase, number password:
(26+26+10)^12 = 3226266762397899821056 (98.4%)
(26+26+10)^11 = 52036560683837093888 (1.6%)
That was what I was thinking, too. Going for passwords like that sounds like a very absurd argument - unless you have have valuable info some government wants… (which I assume is not the case here)
Anyway, a pull request has been made to the mailinabox repo, waiting for Josh to review/merge.
Moot coz there is a PR to put allow spaces but I don’t think the entropy calculation works that way - the complexity is still at original level coz the universe of possible passwords is still [7777^6] regardless of the presence of spaces
The 6 is the amount of words chosen from the 7776 list, but by having unluckily chosen 3 back to back words that form compound words (basket ball = basketball), you’re no longer using 6 unique words; you’re using 3.
* Worth noting I didn’t check the diceware list for compounds (they probably filter these out for good reason), this was just for illustrative purposes that spaces do indeed play an important part and are not inconsequential.
The pull request I mentioned above has been merged into the
master branch. Passwords with spaces will be allowed starting the next Mail-in-a-Box release. (I assume v0.47)