Is there a technical reason why blank spaces can’t be used in password since you always have to hit submit afterwards anyway?

1.22K viewsOtherTechnology

Just reading in that long password are better than complex ones. Wouldn’t it be better if our passwords were long memorable quotes like “Now are the times that try men’s souls” instead of something like Be$ty78?

In: Technology

31 Answers

Anonymous 0 Comments

There’s no technical reason, no. Blank spaces can be handled just like any other character – it’s simply that it never became customary to bother handling them. 

Anonymous 0 Comments

Yes. Most places allow spaces in passwords. Passphrases are more secure than passwords because of the increased length. Correct horse battery staple.

Anonymous 0 Comments

You can have blank spaces in passwords. common password lists very rarely have them and longer passwords are better. Though a famous quote will be worse than something more personal or more random.

What I don’t recommend is using them at the start or end of a password. Applications routinely strip white space from the start and end of submitted strings and it’s very easy for a developer to forget to make an exception for passwords (or not realize they’re supposed to) and you may find your password doesn’t work (potentially after an update).

Anonymous 0 Comments

>Wouldn’t it be better if our passwords were long memorable quotes like “Now are the times that try men’s souls” instead of something like Be$ty78?

YUP. 

passphrases are way more inherently secure (as of today) due to length over complexity. Nothing stopping you from using that exact password other than needing to type it out every single time. It’s all fun and games until you have to type that in for the 5th or 6th successive time. 20ish characters is all you need really to become brute force prohibitive entirely, but also be memorable. 

Anonymous 0 Comments

Spaces can be hell to troubleshoot – like if a user puts 2 spaces in between words, it can be hard to see and understand why your login is failing.

Some programming languages naturally break text after a space unless you encase it in quotes, so requiring no spaces can be a decision to make managing passwords easier.

Famous quotes would be a bad idea, because they are easy to guess.

Anonymous 0 Comments

Some systems, especially older ones, could struggle when special characters (including spaces) were used due to the way they process character strings. Most languages could/can be designed around these issues. However, often the developers (especially if they’re small independent and/or inexperienced developers) would think those methods weren’t worth the hassle or didn’t know how to do them in the first place. Because of this, many early systems (and even modern ones, when implemented poorly), fail to handle special characters in their strings.

For example, at my place of employment, many of our systems were programmed in-house by inexperienced programmers (to my continuous frustration) and one of the problems they still have is that certain characters (including a space) will actually cause the program to crash if you try to use it in a password.

The specific reasons that certain characters can break the password systems are incredibly varied. In the case of spaces causing the system to break, one possible issue is that the program interprets empty spaces as breaks in the character string. For example, the character string “hello world” could possibly be interpreted instead as two character strings “hello” and “world”. This would mean the program is expecting one string as an argument but is instead receiving two, which could cause it to break.

Other characters could potentially cause problems as well. For example, if you’re using a language where the “&” character has a special meaning (SAS for example), it could cause problems if that character were to show up in a character string. For the SAS specific example, the “&” character indicates the start of a macro variable (a special kind of variable that can be used throughout the whole program) and if the program comes across the “&” character, it expects that the text just after it is the name of a previously defined macro variable. If no such macro variable was defined, it would cause an error. If a macro variable with that name *was* defined, it will insert the value of that variable into the string. In either case, this can cause problems if that’s not your intention. There are certain methods around this called “masking” where you essentially tell the program to treat the “&” character as just a regular character instead of something special. So, if built properly, you can still use strings with the “&” character in them.

All of that being said though, as I originally mentioned, virtually every modern programming language is built robust enough such that most, if not all, special characters are allowed in passwords. If the language isn’t built to handle it natively (which most are), there’s almost always a prebuilt package or simple methods to make it easier. In fact, it’s probably harder to make it so your passwords *can’t* handle special characters now than it is to make it so they can.

Anonymous 0 Comments

There’s no technical reason for any character at all to be disallowed in passwords.

Whitespace and other special characters such as the newline, backspace and carriage return characters might be disallowed for practical reasons with the interface.

But beyond that, it’s usually because the application is handling the password in an insecure manner. The contents of the  password should be completely irrelevant to the operation of the application, because the application should be handling the password in a SecureString which is encrypted.

If the password contents are enumerated to act upon logic and alter the application behavior, then the password must have been saved somewhere insecurely for that evaluation to have occured.

And yet, look at how many websites restrict your password to a few special characters or even explicitly disallow some. It always concerns me when I see that because I know what’s probably happening behind the scenes.

Anonymous 0 Comments

For simplicity and to avoid errors with copy/pasting etc, it’s often better to just ban spaces. There are enough other characters that it won’t have a significant effect on the strength of a password.

Spaces are also an “invisible” character, so it can be difficult to tell if one is there or not, or if your password has two or three spaces in a row

Anonymous 0 Comments

Every website that requires passwords can make up its own rules about what is or is not acceptable.

Anonymous 0 Comments

On unix, not sure about now, but back in the day, even backspace was a valid key for a password.