You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Organization Name (N/A, if individual): CMU / UMD / UChicago
Organization Type (see below for codes): 3
Document (63-3, 63A, 63B, or 63C):
Reference (Include section and paragraph number):
Comment (Include rationale for comment):
Space characters should not be removed prior to verification. Section 5.1.1.2 suggests that “Verifiers MAY remove multiple consecutive space characters, or all space characters, prior to verification provided that the result is at least 8 characters in length.” Users may include space characters specifically to add entropy to their passwords. Depending on where users place space characters, the actual contribution to password strength may vary. However, removing space characters prior to verification will have at best minimal security impact and at worst increase password guessability. Importantly, this increase in guessability may not be obvious to users, who may (correctly) believe that they have created a password that is hard to guess, although the (altered) password stored by the verifier may be significantly easier to guess. If there are scenarios where there is evidence that removal of space characters increases usability with minimal security impact, this should be specifically mentioned in the guidance with examples provided. In general, however, we recommend removing this point.
All Fields Are Required
Organization Name (N/A, if individual): CMU / UMD / UChicago
Organization Type (see below for codes): 3
Document (63-3, 63A, 63B, or 63C):
Reference (Include section and paragraph number):
Comment (Include rationale for comment):
Space characters should not be removed prior to verification. Section 5.1.1.2 suggests that “Verifiers MAY remove multiple consecutive space characters, or all space characters, prior to verification provided that the result is at least 8 characters in length.” Users may include space characters specifically to add entropy to their passwords. Depending on where users place space characters, the actual contribution to password strength may vary. However, removing space characters prior to verification will have at best minimal security impact and at worst increase password guessability. Importantly, this increase in guessability may not be obvious to users, who may (correctly) believe that they have created a password that is hard to guess, although the (altered) password stored by the verifier may be significantly easier to guess. If there are scenarios where there is evidence that removal of space characters increases usability with minimal security impact, this should be specifically mentioned in the guidance with examples provided. In general, however, we recommend removing this point.
Suggested Change:
Organization Type: 1 = Federal, 2 = Industry, 3 = Academia, 4 = Self, 5 = Other
The text was updated successfully, but these errors were encountered: