I'm writing a php script and I was wondering if I should allow spaces in user passwords. I'm using sha1() to hash the password, and it seems to do fine with passwords containing spaces. However, I've noticed that a lot of major sites don't allow passwords to contain spaces. Is there a reason for this or is it ok to allow them?
5
votes
There is no actual security reason to deny spaces. The restriction is a pointless legacy of poorly-written systems from decades ago, and just discourages people from using more-memorable passphrases. Let people use whatever they want.
– Jeremy
You should allow spaces. You should also allow -- encourage really -- the use of pass phrases. You may enjoy this xkcd. Oh, and please use bcrypt or scrypt or, better, an existing library that does everything. (Plain sha1 is insufficient for passwords and is too easy to brute-force.)
– user166390
And don't forget to salt those passwords!
– MrGlass
Based on the responses I typically get from various companies when I point out that it's ok (in fact, preferable) to do this, I think it's safe to assume that the reason they do this is to annoy their users.
– user212218
@JonathanNewmuis GMX and cPanel are two examples of "major sites" that don't allow passwords to contain spaces.
– Deltik
4 Answers
12
votes
You should definitely allow spaces in passwords. Many people prefer to use passphrases, and by disallowing spaces you are making life hard for them for no benefit.
In addition to allowing passphrases instead of passwords, you should also encourage them because they are more secure (OK, I admit half the reason I wrote this was to put in the xkcd link).
4
votes
1
votes
1
votes
Restricting the characters allowed in a password is pointless as long as your hashing mechanism is able to hash them identically every time. For example, you might not want to hash multibyte characters if you intend to do password checking from a system that uses a different character encoding, like hashing the password in PHP and trying to check it in Java.
