Jump to content
bmacnaughton

Why no whitespace in passwords?

Recommended Posts

Are there any behind-the-scenes reasons that whitespace is not allowed in passwords, or is it a policy choice?

I've found that people can remember phrases that mean something to them well so they make longer, more secure passwords/passphrases.

  • Like 3

Share this post


Link to post
Share on other sites

Technically there is no reason why whitespaces are not allowed in passwords.

There are however a few case where whitespaces cause trouble and therefore

are simply not allowed:

1. unintentionally whitespace at the beginning or ending of a password

2. charset issues

Share this post


Link to post
Share on other sites

Technically there is no reason why whitespaces are not allowed in passwords.

There are however a few case where whitespaces cause trouble and therefore

are simply not allowed:

1. unintentionally whitespace at the beginning or ending of a password

2. charset issues

Thanks for this. Can you expand on charset issues? If the DB and the site all use UTF-8 then I don't understand why this would be a problem.

Share this post


Link to post
Share on other sites

If the DB and the site all use UTF-8 then I don't understand why this would be a problem.

As a CMS provider you never know if this is in fact the case. It's always better to restrict stuff like this as it really does not limit the ability to have save passwords, while it limits the potential for error. Inline whitespaces are just two chars that you can't use. 

Share this post


Link to post
Share on other sites

Passwords aren’t stored as plain text in the DB, so that shouldn’t be an issue. If one is worried about leading/trailing whitespace, one might as well disallow that specifically, or routinely trim passwords (and tell the user about it).

Plus, we deal with spaces in POST data all the time anyway?! Even this forum allows spaces in usernames, which kind of blew my mind the first time I logged in. I really dig it.

I’m a big proponent of long passwords and I feel, calling them “passwords” instead of “pass phrases” was a major mistake, leading to the stupid password policies we see everywhere, when in reality, the best thing you can do is just have a long-ass combination. Personal sentences are great for this. Easily typed, because that’s what we’re used to type, and easy to remember, because unlike cryptic alphanumeric combinations with an obligatory exclamation point at the end, they make sense even without thinking up mnemonics first…

  • Like 2

Share this post


Link to post
Share on other sites

If charset is a problem, passwords must rely on ASCII only. Accidental whitespace before/after could be stripped out easily, without touching whitespace within the password. I for one like the ability to use "limitless" passwords :-)

Share this post


Link to post
Share on other sites

+for spaces in passwords! And no artificial requirements as uppercase and number etc. The restrictions in passwords should be freely definable in PW. 

Share this post


Link to post
Share on other sites

Spaces in passwords take up empty space. That consumes more energy on yor minotor. FREE poasswords now.

  • Like 2

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Jennifer Stock
      Greetings. I would like to restrict access to certain sections of my organization's ProcessWire site using pubcookie. We are rolling out Shibboleth authentication later this year but for now, it seems I can only make use of our institution's single sign-on routine by utilizing rules in an .htaccess file. 
      I am wondering if there is a way to ask PW to apply these rules to certain pages in the site, whether via template type or location in the page tree:
      AuthType UWNetID PubcookieAppID "MyApplication" require type staff faculty  
    • By benbyf
      Hi,
      I posted a question on Stack and as yet not got an anwser that is something novel. I'm interested to know if this worries anyone else and whether we can do something about it.
      So here goes:
      If a user logins to your online sevice, let's say a job posting site, they give you an email and password to access your service later... Lets say a malicous person with access to the server could write into the template to store the passwords as plain text somewhere. Given that people generally don't use a new password for each website, now that malicious person has the potential to access other online services using these details (where there isn't any secondly security like 2-factor).
      Is there anything we can do to battle this? In an ideal world, maybe setting up a zero-knowledge algorithm to log people in and out...
      https://security.stackexchange.com/questions/155806/what-to-do-about-compremised-passwords-through-malicious-sites-or-site-hacks/155823#155823
       
      food for thought
    • By Doc
      Hello,
      I'm loosing the session when I quit my browser (it's not lost when I close/reopen the tab).
      Is there a way I can keep my PW session after a browser restart ?
      I use the session->login usual stuff to start one.
      Thanks
    • By berechar
      Hi all,
      A question regarding security/best-practice concerning a simple front-end login through AJAX calls. My plan is to use this kind of module inside a small AngularJS architecture to update the entire application when someone is logged in/out.
      *
      I've made a simple HTML form in which the user can login by typing his/her username and password in the corresponding fields. After submitting the form, these values are fetched with jQuery. Then an Ajax GET request is made with these values to a page which has access to the Processwire API. This page checks if these values (after sanitization) correspond to an existing user in the CMS.
      If the user and password matches, the user is logged in, and a success message is being returned.
      If the user and password mismatches, an error message is being returned.
      *
      I don't know much about encryption, therefore I highly doubt if this a 'safe' way of doing things. Hopefully someone can give me some pointers on this!
      best,
      berechar
    • By Vineet Sawant
      Hi,
      I'm working on a simple Ionic app which is going to use ProcessWire as the backend.
      This app allows people to upload images and then like/comment on them. It's a lot like a stripped down imgur app.
      I've set up some basic services such as register, login & reset password.
      There are a couple of things I am doubtful about.
      1. How do I get user's unique session Id once he's successfully authenticated through AngularJS's http post request?
      I'm currently using following code:
      $sessions = $session->getAll(); $session_id = $session->_user["fingerprint"]; But I'm not sure if that's the right way to do it. I'm not even sure if that's the session id. I know there's something called SessionCSRF["name"], I tried that.
      I'm sending session_id as response to http post request. Then I'm using that session id to check if user is authenticated for his/her further actions such as commenting/liking/posting etc.
      2. Now that I've got the session id, how do I identify the user based on the given session id? or should I send user ID back to PW everytime user is performing any action?
      Is it possible to identify user just based on the session fingerprint that I'm giving back to the app?
      Among other things I'm considering are keeping a device id on the server for each user, so as to gain better control over user's sessions.
      I can log out all the devices linked at once etc. 
      I'd really love to hear from you guys how you'd plan to do this app. I'm experienced with PW but not very much with AngularJS.
      Thank you.
×
×
  • Create New...