Password Strength

[mostafatalebi]

Hello

I have a very simple question.

Is allowing passwords with space inside, problematic?

[Christian F.]

No, not problematic at all. If any thing, it's desirable as it increases the entropy (available character space).

Technically speaking, it is desirable to allow any printable character in a password. As for every character disallowed in a password, the time it'll take an attacker to crack the password is reduced exponentially: The entropy is defined by number of characters in a password raised to the power of available characters, after all. (Length^allowed characters, in other words.)

 

Just to give you an example of how much difference only two disallowed characters would make, and then we only assume 95 printable characters in total (basic ASCII):

php > $len1 = pow (10, 95);
php > $len2 = pow (10, 93);
php > echo $len1 - $len2;
9.9E+94

In case you're doubting it, yes: That is 99 followed by 93(!) zeroes fewer potential password an attacker has to search. All from just removing only 2 characters from the pool. Or, in other words, you just reduced the entropy by 99%

[mostafatalebi]

thanks. comprehensive reply

[Christian F.]

You're welcome.