Why no whitespace in passwords?

[bmacnaughton]

Are there any behind-the-scenes reasons that whitespace is not allowed in passwords, or is it a policy choice?

I've found that people can remember phrases that mean something to them well so they make longer, more secure passwords/passphrases.

[pwired]

Technically there is no reason why whitespaces are not allowed in passwords.

There are however a few case where whitespaces cause trouble and therefore

are simply not allowed:

1. unintentionally whitespace at the beginning or ending of a password

2. charset issues

[bmacnaughton]

Technically there is no reason why whitespaces are not allowed in passwords.

There are however a few case where whitespaces cause trouble and therefore

are simply not allowed:

1. unintentionally whitespace at the beginning or ending of a password

2. charset issues

Thanks for this. Can you expand on charset issues? If the DB and the site all use UTF-8 then I don't understand why this would be a problem.

[LostKobrakai]

If the DB and the site all use UTF-8 then I don't understand why this would be a problem.

As a CMS provider you never know if this is in fact the case. It's always better to restrict stuff like this as it really does not limit the ability to have save passwords, while it limits the potential for error. Inline whitespaces are just two chars that you can't use. 

[Jan Romero]

Passwords aren’t stored as plain text in the DB, so that shouldn’t be an issue. If one is worried about leading/trailing whitespace, one might as well disallow that specifically, or routinely trim passwords (and tell the user about it).

Plus, we deal with spaces in POST data all the time anyway?! Even this forum allows spaces in usernames, which kind of blew my mind the first time I logged in. I really dig it.

I’m a big proponent of long passwords and I feel, calling them “passwords” instead of “pass phrases” was a major mistake, leading to the stupid password policies we see everywhere, when in reality, the best thing you can do is just have a long-ass combination. Personal sentences are great for this. Easily typed, because that’s what we’re used to type, and easy to remember, because unlike cryptic alphanumeric combinations with an obligatory exclamation point at the end, they make sense even without thinking up mnemonics first…

[suntrop]

If charset is a problem, passwords must rely on ASCII only. Accidental whitespace before/after could be stripped out easily, without touching whitespace within the password. I for one like the ability to use "limitless" passwords

[lpa]

+for spaces in passwords! And no artificial requirements as uppercase and number etc. The restrictions in passwords should be freely definable in PW. 

[Soma]

Spaces in passwords take up empty space. That consumes more energy on yor minotor. FREE poasswords now.

[gRegor]

I was really surprised to run into this just today. I opened a github issue because there's really no reason I can see for it. https://github.com/processwire/processwire-requests/issues/4

Edit: changed the github link to new PW requests repo. Please vote/+1 there to express your interest.

[gRegor]

Good news. PW 2.8.x and 3.x already support whitespace. I didn't realize those versions were in separate repos: https://github.com/ryancramerdesign/pw28 and https://github.com/processwire/processwire. Ryan said 2.8 repo is probably moving to the processwire org github shortly.