Spaces in passwords
Do spaces (ASCII 20) in passwords make them less secure? I was speaking with a security admin who feels that spaces decrease the effectiveness of passwords. I thought that they would actually do the opposite & increase password efficacy, as most password dictionary attacks do not attempt to attack embedded spaces. An attack trying to penetrate embedded spaces would seem to make the dictionary orders or magnitude larger. Any comments? Ben ------------------------------------------------------------ The views expressed are exclusively my own & not that of my employer -----------------------------------------------------------
Ben Rothke writes:
Do spaces (ASCII 20) in passwords make them less secure?
Of course not. In a normal Unix password, adding spaces to the password search space increases the search space, so it necessarily makes the search harder.
The exception to this is when you may be overheard typing a password. The space bar sounds different, and an attacker who knows you've used a space has a significantly smaller search space. So I usually recommend avoiding space, @, #, and control characters when generating passwords. Have I missed any or gotten too many?
.pm
Jon Leonard
On Thu, 18 Apr 1996, Jon Leonard wrote:
Ben Rothke writes:
The exception to this is when you may be overheard typing a password. The space bar sounds different, and an attacker who knows you've used a space has a significantly smaller search space.
So I usually recommend avoiding space, @, #, and control characters when generating passwords. Have I missed any or gotten too many?
Why would you want to avoid #, @, etc. ? I have a hard enough time getting lusers to choose non-dictionary passwords that they can *remember* - one technique is to teach sub-100 i.q. types to use two words, seperated by a #,@, etc., with a number tossed in: kill#pig1et, which isn't a dictionary word, but has a chance of being remembered without writing it on a sticky note and pasting it to the @#%&ing monitor. - r.w.
Rabid Wombat wrote:
On Thu, 18 Apr 1996, Jon Leonard wrote:
The exception to this is when you may be overheard typing a password. The space bar sounds different, and an attacker who knows you've used a space has a significantly smaller search space.
So I usually recommend avoiding space, @, #, and control characters when generating passwords. Have I missed any or gotten too many?
Why would you want to avoid #, @, etc. ?
Space sounds different, # is sometimes backspace, @ is sometimes kill-line, and control characters often do strange things. Those are the only characters I avoid, though. For example, if you're using a teletype to change your password on a UNIX system (or it _thinks_ you _might_ be using one), and use a password of "O&]z@d#4", you've just set your password to "4". Control characters are worse: ^S to lock your terminal, ^D to disconnect -- no fun.
I have a hard enough time getting lusers to choose non-dictionary passwords that they can *remember* - one technique is to teach sub-100 i.q. types to use two words, seperated by a #,@, etc., with a number tossed in: kill#pig1et, which isn't a dictionary word, but has a chance of being remembered without writing it on a sticky note and pasting it to the @#%&ing monitor.
It's hard. I'd really rather have longer pass{words,phrases} so that there's the potential for lots of entropy without requiring line-noise for passwords. Jon Leonard
How is a control character, @, and # any different from typing an uppercase letter? Just curious. Arley Carter Tradewinds Technologies, Inc. email: ac@hawk.twinds.com www: http://www.twinds.com "Trust me. This is a secure product. I'm from <insert your favorite corporation or government agency>." On Thu, 18 Apr 1996, Jon Leonard wrote:
Ben Rothke writes:
Do spaces (ASCII 20) in passwords make them less secure?
Of course not. In a normal Unix password, adding spaces to the password search space increases the search space, so it necessarily makes the search harder.
The exception to this is when you may be overheard typing a password. The space bar sounds different, and an attacker who knows you've used a space has a significantly smaller search space.
So I usually recommend avoiding space, @, #, and control characters when generating passwords. Have I missed any or gotten too many?
.pm
Jon Leonard
participants (5)
-
Arley Carter -
Ben Rothke -
Jon Leonard -
Perry E. Metzger -
Rabid Wombat