As I was listening to old RSA talks, Ed Skoudis, Instructor at SANS Institute, gave his advice on incorporating a space into passwords. Below is an excerpt from the video.
“Simply putting a space in your password, as a computer attacker, it makes it harder to guess or crack your password… the most insidious space is at the end, because if the attacker successfully attacks and cracks your password and it displays on the screen and they wont see the spaces and they will lockout your account, wondering why it it didn’t work.”
So, what backs up his claim?
For some context, lets look at NIST Special publication 800-63B, also known as, Digital Identity Guidelines: Authentication and Lifecycle Management
“All printing ASCII characters as well as the space character SHOULD be acceptable in memorized secrets”
Now, not all systems accept this standard and allow every ASCII character into their passwords, but there are many that do. In the case of incorporating a space into the password, as per Skoudi’s advice, most common systems, such as Windows and Linux accept a space in passwords.
For other systems, like firewalls, some follow NIST SP 800-63B guidelines and other do not, such as FortiOS from Fortinet, which DOES support spaces in passwords, whereas Palo Alto firewalls do not allow spaces.
You will have to research each system to see if it allows for special characters in passwords.
Thwarting the Attacker
Skoudis says it beautifully in his talk, that, even if the attacker cracks the password, and you put the space at the end of your password, a space would be invisible or unnoticed by even the most advanced attackers, which would result in them locking your account out.
In that event, your enterprise security policy should have proper audit log monitoring in place to catch privileged account lockouts or suspicious authentication failure activity. For example, Windows has the audit log Event ID 4740 “a user account was locked out”.
In the case of personal security, incorporating a space in your passwords could be the difference between an account takeover or a security alert.
I cannot confirm or deny that I will start using spaces in passwords, but it is a neat trick.
Last updated for accuracy: July 27, 2020.