Password Space

In this blog post, I will defend the idea that you should use spaces in your passwords.

As I was listening to old RSA talks, I saw this comment;

I posted the talk below so you can hear Ed Skoudis, Instructor at SANS Institute, give his advice. However, his advice is below;

“Simply putting a space in your password, as a computer attacker, it makes it harder to guess or crack your password… the most insidious space is at the end, because if the attacker successfully attacks and cracks your password and it displays on the screen and they wont see the spaces and they will lockout your account, wondering why it it didn’t work.”

So, what backs up his claim?

For some context, lets look at NIST Special publication 800-63B, also known as, Digital Identity Guidelines: Authentication and Lifecycle Management

All printing ASCII  characters as well as the space character SHOULD be acceptable in memorized secrets”

Now, not all systems accept this standard and allow spaces in passwords, but there are many that do, like Windows and Linux for example.

For other systems, like firewalls, some follow NIST SP 800-63B guidelines and other do not, such as FortiOS from Fortinet, which DOES support spaces in passwords. whereas Palo Alto firewalls do not.

You will have to research each system to see if it allows for special characters in passwords.

Thwarting the Attacker

Ed says it beautifully in his talk, that, even if the attacker cracks the password, and you put the space at the end of your password, a space would be invisible or unnoticed by even the most advanced attackers, which would result in them locking your account out.

In that event, you should have proper audit log monitoring in place to catch privileged account lockouts or suspicious authentication failure activity. For example, for Windows, you should be monitoring the audit log Event ID 4740 “a user account was locked out”.