RE: Whitespace in passwords

From: Anders Thulin (
Date: 09/07/05

  • Next message: "Pen Testing a PBX (Northern Telecom Meridian-1)"
    Date: Wed, 7 Sep 2005 12:16:39 +0200
    To: "bryan allott" <>, <>

    > From: bryan allott []

    > to the misnomer "passWORD" rather than passPHRASE but it
    > seems that [most?] people choose passes that dont contain
    > whitespaces,

      Most people still stick to alphanumeric passwords, and most
    of those are passwords where the digits are placed at the end.
    Whitespace is probably not more special than any of the other
    'specials' that appear on a standard keyboard. A problem is to
    know just what those are -- a look at a keyboard may lead a user to
    think the 'x' on the keypad is a different special character than the

    > my main question, re security, is wether the whitespace made
    > the password too vulnerable? [historically] and why this
    > constraint is introduced in many systems..

      Tradition, probably. In environments where users are given
    fixed passwords that they can't change themselves, space
    belongs together with S58, O0, and Il1 to the characters that
    probably will be misunderstood, and so cause calls to helpdesk.
    Anything that is likely to cause a help-desk call is a no-no
    in large environments.
      Another aspect is regularity of user interface design: should
    space be treated as significant when it appears first and last in
    a string in general, say a Search field in a text editor or a From-
    field in an e-mail program? If not, spaces first and last in
    passwords will be assumed to be insignificant as well -- and
    so become another source for helpdesk complaints.
    Regularity pays off.

     [but then, if
    > myth- why propogate it?]

      Probably also a case that password are seldom documented in detail,
    and few people are willing to sit down to find out details by experiment.
    (Windows NT hashes use the OEM character set ... which is another source
    of documentation problems.) So instructions for password construction
    tend to avoid mentioning characters that might be troublesome, even
    though there are some important things to know.

      For instance, dead accent keys (on my kbd ^ is one) usually don't change
    the base character in a password, so 'pass' and 'pāss' may produce the same
    password hash.

      The most useful character to have in a reasonably modern Windows
    password is EUR (Alt-Gr E on my kbd.) I suspect the reason why is well
    known -- if not, I'll leave it as an exercize. I'm sure there are similar
    'oddities' on other password situations.

    > i'm thinking that whitespaces [if yr
    > system can handle them, and why not?] would add another
    > measure of complexity in cracking pwds?

      Of course they do. But ... if you alredy have an adequate
    password protection -- say, accounts are locked out after 25 failed
    attempts per day regardless of source -- the extra complexity doesn't
    add much protection. (If you have the password hashes, security
    has already failed, and any attempt to add a last line of defense
    in the form of password complexity is misguided: it's only a
    question of time before the passwords are discovered, and that
    time should not be left to users to ensure.)

    Anders Thulin 040-661 50 63
    TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö


    Audit your website security with Acunetix Web Vulnerability Scanner:

    Hackers are concentrating their efforts on attacking applications on your
    website. Up to 75% of cyber attacks are launched on shopping carts, forms,
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
    futile against web application hacking. Check your website for vulnerabilities
    to SQL injection, Cross site scripting and other web attacks before hackers do!
    Download Trial at:

  • Next message: "Pen Testing a PBX (Northern Telecom Meridian-1)"