No one is answering the evolution of passwords, before rich user interfaces you would log somewhere in a terminal, and you would type user and password in a sequence, separated by a space. And usually more options afterwards.
So a space inside a password would be ambiguous to handle.
telnet 192.168.0.1 root password -t
Something like this.
I’ve been using spaces in mine for years. Most people don’t so maybe slightly more secure. What’s aggravating is devs not allowing for them or only allowing a tiny subset of punctuation. I’m a dev myself so I get it but half of all sign up forms I’ve ever used are atrocious and annoying re: password constraints.
My windows login is a single space-bar so I’m not sure what you mean.
All characters including Enter/Return and space-bar are represented equally in the nitty gritty, they’re just displayed differently for the user. Often Enter activates one of the continue buttons, so while it can technically be a password, it’d be more trouble than its worth in practicality.
There’s no technical reason other than if the rules of the system say so, similar to the “must have at least one upper case letter” kind of stuff.
So yes, you can have spaces in a password unless otherwise prohibited.
But there are non-technical reasons to avoid spaces, one of them already mentioned several times: spaces are easy to miss and check, whether by the user or the tech guy, especially when they’re at the start or at the end.
It is especially bothersome to the user – missing or forgetting (or adding) a space will leave to failed logins and that may mean having to recover or change the password.
All that being said, it’s not hard to use a memorable quote as a pass phrase and also not use spaces. Just use dashes, or any other common symbol.
If you own an Apple device, you’d see this – if you let it generate a password for you, one of the things you will notice is that it creates clusters of short “words” separated by hyphens, like so:
hF6Kb-yykdO0-f$ste73
So you can take that idea and still use a memorable quote without spaces:
never-gonna-give-you-up-never-gonna-let-you-down-never-gonna-run-around-and-desert-you
is an extremely secure but also very memorable pass phrase that also doesn’t have spaces.
And yes, it is better to actually remember strong passwords than ones we can’t. A password is only good if it actually allows you access to your stuff.
It is still much better to use a password manager, but your password manager password should be a strong password that’s easy to remember, and a long quote with hyphens instead of spaces is a very strong option.
Just don’t be predictable, because machines might take billions of years to crack it but your best friend might crack it in a second.
ELI5 version
Some systems, especially older ones, stop reading when they reach a space.
Not ELI5 version
Before Window/GUI systems, everything was done on a command line, and even today, a lot of system administrator and developer stuff still is. With command line tools, the default is to interpret any whitespace as the break between parameters. This can be overcome with quotes, but it is simpler if you don’t need to, so plenty of admins and devs are just in the happiest of not using spaces.
Treating white space as the break between inputs is super common. Whenever you’re streaming text data, either from standard input or from a file, there are typically 2 read operations. “Readline” will get data until it encounters the newline/carriage return characters and “Read” which will get data until it reaches any whitespace. So if an application was storing your password in a file, it could potentially only get part of it if there are spaces.
Personally, I do use pass-phases but don’t put the spaces in, and I still do common substitutions because plenty of systems still enforce complexity even though that is no longer considered best practice by NIST. However, whenever I can, I just use a generated password from Chrome.
Pro tip: If you want a good alternative to space use underscore “_” It doesn’t have any of the issues I’ve described.
3-4 random words us a better password than what is usually recommended whrn ot comes to passwords you need to remember yourself.
Applications that don’t allow one or more characters is always a security smell to me because best practices behind the scenes allow for your password to contain any character, thus restricting character usage indicates to me that they are not following best practices
Better password systems should allow spaces in the password. However, remember that the strength of a password is based on the number of random choices and the number of possible selections for that choice.
SO, a password based in a quotation means you’re basing the entire password on _one_ random choice: which quotation to select. Critically, it isn’t the number of characters in the password anymore, because those aren’t random (for example, if I’m thinking of a passphrase that begins “Space, the final fro…”, what are the next 6 letters? Are you confident you could guess the next 12 letters after that?).
So it comes down to _one_ choice, and the number of quotations you can choose between … and if you as a human being make that selection, it is likely between a very small (a few thousand) popular choices. This results in a weak password, roughly equivalent in strength to 2 or 3 random characters. Even if we let a computer do the selection between the most memorable line in every book ever written (about 130 million), this is roughly the same strength as 4 or 5 random characters.
A passphrase where each choice is a word randomly chosen from the dictionary (the “correct horse battery staple” method) can be quite a bit stronger. If our dictionary has 8000 words, a four-word random passphrase has about the same strength as 8 or 9 random characters, and many people find it easier to memorize. So this is the approach I recommend.
Latest Answers