Ask HN: Why do websites disallow spaces in passwords?
This has always baffled me. It's actually harder to disallow spaces, and it seems like there are only disadvantages.
Is it just for being able to use it in cleartext cases conveniently elsewhere (which is generally extremely bad anyway...)?
Does anyone know of a good reason for this, or at least the reason some sites do this?
26 comments
[ 1.3 ms ] story [ 67.7 ms ] threadThat doesn't address spaces IN passwords, but I know I've never written a script to block them. If I had to guess I would say it depends on individual frameworks or the behavior of individual languages. E.g. python has a decent strip() function, javascript doesn't. If you need to trim whitespace in javascript you need to write a regex. It would be easier to test/remove all whitespace instead of trailing/leading whitespace. Maybe that's a clue.
No matter what you tell them, users will store passwords in text files and email them around in spreadsheets, and spaces interfere with cutting and pasting in a way that other characters don't.
It's not a strong reason, but no-one's ever complained about not being allowed to use spaces either.
Some guy saw something break once because a password with a space was passed on exec(). Some guy knows that crypt() only uses the first 13 characters. Some guy knows that passwords with less than 5 characters are extremely weak. Some guy knows that \ also breaks when passed to exec() or sh, etc. This goes on ad nauseum for about an hour, a bunch of people are bored and just want to get out of the meeting so they propose the following which everyone can agree on.
Spec: Alphanumeric passwords with a minimum of 5 characters and a maximum of 13.
Result: m/^[A-Z,0-9,a-z]{5,13}$/
But I hate you if you force me to have capitals or numbers or symbols!
Traditionally, when deciding what password characters to allow/disallow, everyone thinks in terms of what to allow, not what to disallow.
For example, a system that only allows alphanumeric characters in passwords (i.e. no special characters) would use less code to specify with regex that only a-z,A-Z,0-9 should be allowed, rather than specifying the many characters to be blocked (and even when more complicated options were allowed, code generally still specifies allowed characters, rather than disallowed characters).
Therefore I would suggest that websites disallowing spaces in passwords is in fact just that they didn't see fit to allow them, not that they went out of their way not to.
How much entropy does white space add to a password? Where are most people putting spaces in passwords? Are they using passphrases (in which case the position of spaces can be guessed and thus have low entropy)?
Given that I can think of a potential downside and possibly no gain in security, I can understand why some may default to not allowing it.
What exactly do you have in mind telling this is dependent on the nature of the application? What type of applications should encourage it? Just curious.
Ultimately there has to be some mechanism for a password reset, and there must be some level authentication during this reset.
How about a non-security-sensitive website which has a registration function and the only form of contact is via the registered email address? Users are likely to forget their passwords. The only way to verify a user in order to reset his password is with his email address. If you reset the password on request and then email it, then there is effectively a DoS there, and you are requiring the user to take extra effort (going back in and changing it again). If you email the existing plaintext password to him on request, then there is no DoS issue and minimal hassle for the user - provided that the security requirements make it acceptable for 1) a plaintext password to be emailed (but otherwise what else are you going to do?) and 2) the old password to be continued to be used even after it has been emailed in plaintext.
I'm not sure which of the two options I would implement myself. I'm not even aware of what existing webapps do since I use a password safe and so have never had to go through the process.
I'm just saying that for a non-security-sensitive situation, I have no major objection to the second option being used, and in this case it makes sense for white space to be not permitted in passwords. Since I'm not convinced that there is an entropy advantage in allowing spaces, I don't see why banning whitespace is a problem.
I live like a tech luddite except when developing, so I don't use a password store for low security sites. One of my low security/throwaway passwords includes a space.