Some systems, especially older ones, could struggle when special characters (including spaces) were used due to the way they process character strings. Most languages could/can be designed around these issues. However, often the developers (especially if they’re small independent and/or inexperienced developers) would think those methods weren’t worth the hassle or didn’t know how to do them in the first place. Because of this, many early systems (and even modern ones, when implemented poorly), fail to handle special characters in their strings.
For example, at my place of employment, many of our systems were programmed in-house by inexperienced programmers (to my continuous frustration) and one of the problems they still have is that certain characters (including a space) will actually cause the program to crash if you try to use it in a password.
The specific reasons that certain characters can break the password systems are incredibly varied. In the case of spaces causing the system to break, one possible issue is that the program interprets empty spaces as breaks in the character string. For example, the character string “hello world” could possibly be interpreted instead as two character strings “hello” and “world”. This would mean the program is expecting one string as an argument but is instead receiving two, which could cause it to break.
Other characters could potentially cause problems as well. For example, if you’re using a language where the “&” character has a special meaning (SAS for example), it could cause problems if that character were to show up in a character string. For the SAS specific example, the “&” character indicates the start of a macro variable (a special kind of variable that can be used throughout the whole program) and if the program comes across the “&” character, it expects that the text just after it is the name of a previously defined macro variable. If no such macro variable was defined, it would cause an error. If a macro variable with that name *was* defined, it will insert the value of that variable into the string. In either case, this can cause problems if that’s not your intention. There are certain methods around this called “masking” where you essentially tell the program to treat the “&” character as just a regular character instead of something special. So, if built properly, you can still use strings with the “&” character in them.
All of that being said though, as I originally mentioned, virtually every modern programming language is built robust enough such that most, if not all, special characters are allowed in passwords. If the language isn’t built to handle it natively (which most are), there’s almost always a prebuilt package or simple methods to make it easier. In fact, it’s probably harder to make it so your passwords *can’t* handle special characters now than it is to make it so they can.
Latest Answers