Jump to content

Recommended Posts

I just changed my password, and I was absolutely flabbergasted to discover that Evernote does NOT allow spaces in passwords.

This is a glaring security deficit. Why would you limit what users can use as passwords?

Share this post


Link to post

Hi.  We're a mainly user supported forum,  so system issues aren't really our 'thing',  but AFAICS an 8 character password has 3.026x10^15 possible combinations.  Trust me (or actually Stack Exchange) that's a lot.  I don't see that adding a space is materially different to adding any other character... or just making it a 10-char password.  I use a password manager so secure passwords of any length aren't a problem.

Share this post


Link to post

@Thohi  You might repost this as a feature request,

I'm not flabbergasted and don't see this as a "glaring security deficit", but I see no reason why users shouldn't be allowed to use spaces in passwords.  I tend to avoid spaces in my use just to limit possible confusion.

 

Share this post


Link to post
3 hours ago, gazumped said:

Hi.  We're a mainly user supported forum,  so system issues aren't really our 'thing',  but AFAICS an 8 character password has 3.026x10^15 possible combinations.  Trust me (or actually Stack Exchange) that's a lot.  I don't see that adding a space is materially different to adding any other character... or just making it a 10-char password.  I use a password manager so secure passwords of any length aren't a problem.

That is completely wrong statement. The general formula for possible combinations is possible number of characters ^ password length. In an alphabet of two, and assuming max length of password is 8, 2^8=256 but 3^8=6561 (we just added 1 character!). In comparison, if we stuck with alphabet of 2 but increase password length to 12, we'll get 2^12=4096, so almost doubling password length we would not get even close to the result of adding just one possible character to the alphabet.

In more real example, [A-z] would be 26*2^8=52^8 where adding spaces and special characters it could be over 80^8. Password of the same length would be extremely stronger even if it weren't using all that characters, but the fact system allows it makes a brute force dictionary much longer = longer time for attack.

Share this post


Link to post
3 hours ago, JamesBlake said:

That is completely wrong statement. The general formula for possible combinations is possible number of characters ^ password length. In an alphabet of two, and assuming max length of password is 8, 2^8=256 but 3^8=6561 (we just added 1 character!). In comparison, if we stuck with alphabet of 2 but increase password length to 12, we'll get 2^12=4096, so almost doubling password length we would not get even close to the result of adding just one possible character to the alphabet.

In more real example, [A-z] would be 26*2^8=52^8 where adding spaces and special characters it could be over 80^8. Password of the same length would be extremely stronger even if it weren't using all that characters, but the fact system allows it makes a brute force dictionary much longer = longer time for attack.

Not sure whether I'm not understanding your point,  or you're not understanding mine,  but I was trying to say that adding a space to an existing 8 character password doesn't increase the number of combinations available any more than adding an extra character or two to an unspaced password.

Share this post


Link to post
On 8/10/2018 at 7:32 PM, gazumped said:

Not sure whether I'm not understanding your point,  or you're not understanding mine,  but I was trying to say that adding a space to an existing 8 character password doesn't increase the number of combinations available any more than adding an extra character or two to an unspaced password.

And that is wrong and I just proved why. TL;DR: simply by adding whitespace to the list of allowed characters Evernote would dramatically increase strongeness of all users passwords, even these who are not using whitespace in their sequence. It would increase potential number of combinations significantly more than if one would increase it by adding to the password length.

Share this post


Link to post
1 hour ago, JamesBlake said:

simply by adding whitespace to the list of allowed characters

Is this "adding whitespace" or simply adding space as one of the characters.  
I'm not seeing any security effect  if the character is space or $

Share this post


Link to post
On 8/10/2018 at 3:31 PM, JamesBlake said:

In more real example, [A-z] would be 26*2^8=52^8 where adding spaces and special characters it could be over 80^8.

At least some special characters are already allowed in Evernote passwords. I use at least one punctuation characters in mine (I have more than one account); you're already at an alphabet size > 62. Let's face it, if one is after more security, you're much better off using a longer password. Even adding a single character buys you more security than adding a space to the password alphabet.

Doing the math, using a wholly [a-z]+[A-Z]+[0-9] alphabet, and leaving out the special characters (since we don't know how many are actually allowed, and it doesn't matter a heck of a lot to my example). And let's stick to your example's 8 character base password, though that's probably a little short in this day and age (mine are longer).

Let A = Alphabet size, and P =  password length,  # possible passwords is AP.
628 =  2.1834E+14 (original case)
638 = 2.48156E+14 (add space character to password alphabet)
629 = 1.35371E+16 (add one extra password character)

Adding a space character will make some difference, so that wouldn't be a bad thing, for sure, but adding a single character to your password is a whole lot better...

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...