Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Whitespace in passwords
From: "Anders Thulin" <Anders.Thulin () tietoenator com>
Date: Wed, 7 Sep 2005 12:16:39 +0200

From: bryan allott [mailto:homegrown () bryanallott net] 

to the misnomer "passWORD" rather than passPHRASE but it 
seems that [most?] people choose passes that dont contain 

  Most people still stick to alphanumeric passwords, and most
of those are passwords where the digits are placed at the end.
Whitespace is probably not more special than any of the other
'specials' that appear on a standard keyboard. A problem is to
know just what those are -- a look at a keyboard may lead a user to 
think the 'x' on the keypad is a different special character than the

my main question, re security, is wether the whitespace made 
the password too vulnerable? [historically] and why this 
constraint is introduced in many systems..

  Tradition, probably.  In environments where users are given
fixed passwords that they can't change themselves, space
belongs together with S58, O0, and Il1 to the characters that
probably will be misunderstood, and so cause calls to helpdesk.
Anything that is likely to cause a help-desk call is a no-no
in large environments.
  Another aspect is regularity of user interface design: should
space be treated as significant when it appears first and last in
a string in general, say a Search field in a text editor or a From-
field in an e-mail program? If not, spaces first and last in
passwords will be assumed to be insignificant as well -- and
so become another source for helpdesk complaints.
Regularity pays off.

 [but then, if 
myth- why propogate it?]

  Probably also a case that password are seldom documented in detail,
and few people are willing to sit down to find out details by experiment.
(Windows NT hashes use the OEM character set ... which is another source
of documentation problems.)  So instructions for password construction
tend to avoid mentioning characters that might be troublesome, even
though there are some important things to know. 

  For instance, dead accent keys (on my kbd ^ is one) usually don't change
the base character in a password, so 'pass' and 'pâss' may produce the same
password hash.

  The most useful character to have in a reasonably modern Windows
password is EUR (Alt-Gr E on my kbd.) I suspect the reason why is well
known -- if not, I'll leave it as an exercize. I'm sure there are similar
'oddities' on other password situations.

i'm thinking that whitespaces [if yr 
system can handle them, and why not?] would add another 
measure of complexity in cracking pwds? 

  Of course they do.  But ... if you alredy have an adequate
password protection -- say, accounts are locked out after 25 failed
attempts per day regardless of source --  the extra complexity doesn't
add much protection.  (If you have the password hashes, security
has already failed, and any attempt to add a last line of defense
in the form of password complexity is misguided: it's only a
question of time before the passwords are discovered, and that
time should not be left to users to ensure.) 

Anders Thulin   anders.thulin () tietoenator com   040-661 50 63          
TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö


Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]