Why are space characters not allowed in password fields?

Thoughts?

2 Likes

seems the best answer to me with quick searching

4 Likes

In general, increasing the length of a password is better than increasing the set of possible characters of a password in terms of password entropy. Instead of allowing special characters for your password you should consider increasing its length.

Here is the relevant formula: https://en.wikipedia.org/wiki/Password_strength#Random_passwords

Example:

A password can consist of lowercase letters (a–z), uppercase letters (A–Z), and numerals (0–10). This means, your N in the formula is 26 + 26 + 10 = 62.

Now, you generate your 10-digit password (L = 10) using this N of 62. You get about 59.5 bits of entropy using the linked formula.

If you allow 1 additional character (e.g., the whitespace character), you have an N of 63 (and an unchanged L of 10). This means you get about 59.8 bits of entropy. This is a very small change (~0.3 bits of entropy) and nearly irrelevant for its security.

If you increase the length of your password from 10 to 11 (L = 11) without allowing additional characters (N is still 62), you get about 65.5 bits of entropy. As you can see, the change is bigger (~6 bits of entropy) and now it becomes relevant.


PS: Keep in mind that “The minimum number of bits of entropy needed for a password depends on the threat model for the given application. If key stretching is not used, passwords with more entropy are needed.” And of course, your 100-digit password becomes instantly insecure if it is stored in cleartext by a website and leaked afterwards.

3 Likes

Thank you for your details, although I don’t believe it answers my question. I probably didn’t word my question well enough. Is there a good reason they would remove the space character? I simply just don’t get why password fields should be limited with only certain characters.

2 Likes

Well that’s actually a pretty good way to put it. It reduces confusion with space characters in the event they do use them. Although technically lowering the permutations, it means less issues the support team has to deal with.

And sorry, didn’t see your comment. Thank you!

2 Likes

Yes, talking about password entropy is a little bit off topic here, but maybe someone looks for this and comes across your thread in future. Then, it can be helpful to find this here. :slightly_smiling_face:

3 Likes