Should whitespace characters be allowed in a password?

Question

I\'ve tried different sites/products and this seems to be split fairly evenly. Windows 7 and Gmail allow you to insert spaces in your password. Hotmail and Twitter do not.

Answer 1

This SuperUser question might be relevant.

I think that your observation is accurate: many web-based systems accept only alphanumerics and a subset of symbolic characters (say, 0-9A-Za-z/_-!), but I think that this is simply historical convention. It may also be that programmers are used to the <space> character delimiting fields, rather than being found inside them.

There's also the issue of visibility: if you allow multiple consecutive spaces in a password, can the user easily count them? Might a system even collapse them into one (as unaided HTML would)? Can even a single space character be easily and quickly identified?

However, plenty of other types of systems do allow spaces in passwords. I'd probably still stray from them simply to help prevent user confusion (if people are indeed used to spaces in passwords being invalid, a password with a space in may be confusing to many), but there doesn't seem to be any technical reason not to allow them.

Answer 2

Here is a quick way to test password strength--use google's own account password API:

https://www.google.com/accounts/RatePassword?Passwd=mypwd

Per your question about whitespace, I have entered a simple password with two characters and one whitespace "t t" . Google gave the password a rating of 3 out of 4. If I do the same password, but remove the whitespace "tt" the rating received is 1 out of 4. By Google's rating standard, including whitespace improves the quality/strength of a password.

Answer 3

The main problem I see would be usability for the user in terms of e.g. trailing spaces. Also if you start allowing non-visible characters like the space you might also start allowing all sorts of other non-visible characters like tabs and so on. Imho the disadvantages outweigh the benefits. To make a password really secure just increase the length and allow some special characters, numbers and letters and be case specific. With e.g. > 20 digits thats practically unbreakable at this stage (at least in terms of worth the effort..).