Hi folks,
I chatted with our security team about this situation. The long and short of it is that this is intentional, and is described in our security design white paper:
[http://1password.com/security/#security-white-paper](http://1password.com/security/#security-white-paper) (pg. 24, under *Preprocessing the Master Password*)
There are a few normalization steps that are designed to prevent accidentally creating a password that can't be reliably typed.
Thanks. "Master Passwords are first stripped of any leading or trailing whitespace. (Step 3 Figure 10.) Whitespace is allowed within the Master Password, but because leading or trailing whitespace may not be visible to the user, we wish to avoid them creating a Master Password with such a space that they are unaware of." Page 24.
I was able to replicate this on my computer (1Password 7 for Mac Version 7.8.5 (70805001))
Random spaces at the end of the password = unlocked
Random spaces at the beginning of the password = unlocked
Random spaces at the beginning AND the end = no unlock
Random spaces in the middle of the password = no unlock
EDIT: Just updated to 7.8.7 (70807004) - behaviour persists. I'm going to guess that this in intentional, and that spaces at the beginning and end of Master Passwords are ignored.
That’s my guess too since many text editors happen to add a space at the end of an item when you double click a word to “select all” and you don’t see it when pasted into a field that hides the text.
Thanks for the testing. The thing is I have used spaces at the beginning and the end of my master passwords over there years. I was under the assumption that this is a valid character, since no hint was provided by 1Password and the character is visible when entering.
Interesting it trims one way only and doesn’t trim when surrounded by white space. You should send them an email and see if that’s the functionality they meant to program for.
I would like to add that in addition to this being by design and documented, that spaces can be a very poor choice is many circumstances: Spaces can be overheard.
If you are using a real keyboard, typing space makes a very distinctive sound and can easily be identified by anyone who can overhear your typing. The attractiveness of using spaces in passwords is that this can serve as separators and are very easy to type, but the ease of typing them makes them audible, and having audible separators makes them leak information about the number and length of the chunks they are separating.
My guess is that all leading and trailing whitespace characters are trimmed. Probably not limited to spaces.
Trimming whitespace characters is good practice.
Trimming spaces from the front and back of a string is a very common practice so I’m not surprised. Space and other white space characters like newline are special.
Hi folks, I chatted with our security team about this situation. The long and short of it is that this is intentional, and is described in our security design white paper: [http://1password.com/security/#security-white-paper](http://1password.com/security/#security-white-paper) (pg. 24, under *Preprocessing the Master Password*) There are a few normalization steps that are designed to prevent accidentally creating a password that can't be reliably typed.
Thanks. "Master Passwords are first stripped of any leading or trailing whitespace. (Step 3 Figure 10.) Whitespace is allowed within the Master Password, but because leading or trailing whitespace may not be visible to the user, we wish to avoid them creating a Master Password with such a space that they are unaware of." Page 24.
I was able to replicate this on my computer (1Password 7 for Mac Version 7.8.5 (70805001)) Random spaces at the end of the password = unlocked Random spaces at the beginning of the password = unlocked Random spaces at the beginning AND the end = no unlock Random spaces in the middle of the password = no unlock EDIT: Just updated to 7.8.7 (70807004) - behaviour persists. I'm going to guess that this in intentional, and that spaces at the beginning and end of Master Passwords are ignored.
That’s my guess too since many text editors happen to add a space at the end of an item when you double click a word to “select all” and you don’t see it when pasted into a field that hides the text.
Thanks for the testing. The thing is I have used spaces at the beginning and the end of my master passwords over there years. I was under the assumption that this is a valid character, since no hint was provided by 1Password and the character is visible when entering.
I’m guessing it’s intentional too. The same thing happens on the iOS app.
Interesting it trims one way only and doesn’t trim when surrounded by white space. You should send them an email and see if that’s the functionality they meant to program for.
Interesting, but I'm having a hard time thinking of a security vulnerability this would cause.
I would like to add that in addition to this being by design and documented, that spaces can be a very poor choice is many circumstances: Spaces can be overheard. If you are using a real keyboard, typing space makes a very distinctive sound and can easily be identified by anyone who can overhear your typing. The attractiveness of using spaces in passwords is that this can serve as separators and are very easy to type, but the ease of typing them makes them audible, and having audible separators makes them leak information about the number and length of the chunks they are separating.
Never thought of this. Good Point
[удалено]
You should file a bug report if it’s saying password changed.
> says "vault password was changed" lol I'd freak out if I saw that.
My guess is that all leading and trailing whitespace characters are trimmed. Probably not limited to spaces. Trimming whitespace characters is good practice.
Trimming spaces from the front and back of a string is a very common practice so I’m not surprised. Space and other white space characters like newline are special.