Udostępnij za pośrednictwem


News Flash: Spaces are legal characters in both filenames and passwords!

I recently figured out a problem that I've been having with one of our internal tools.  The tool is used to automatically deploy our daily builds (extremely handy when you're doing that every other day to several test machines).  As a part of the tool, you need to include the password for a test account.

We normally use the tool from an automatic test harness, essentially I enter the 4 or 5 parameters to the test and it automatically runs the tool (and other stuff if necessary).

The problem I had was that I would enter my account and password but the tool kept failing after reporting invalid parameter errors.  It worked perfectly when I used a different account that is used by our testers, but when I tried using my preferred test account it kept on failing with some kind of command line parsing error.

Eventually I tracked down the actual command line being passed by the harness into the tool and I was immediately able to see the problem.

 

Being a security geek, my "password" is actually a passphrase - the theory is that passphrases are harder to crack than passwords because they are drawn from a larger dictionary.  So my passwords tend to be things like "The rain in Spain falls mainly on the plain".

In this case, the test harness took my password and passed it to the tool as follows (assuming that the command line for the test tool is "testtool.exe -useuser <username> <password>:

testtool.exe -useuser testaccount The rain in Spain falls mainly on the plain

Doh!  Either the test tool or the test harness wasn't handling the spaces correctly.  I tried an experiment and ran the test tool manually:

testtool.exe -useuser testaccount "The rain in Spain falls mainly on the plain"

and it worked!  So it appears that the problem was that the test harness wasn't correctly handling the spaces in my password.

 

So I went to the maintainer of the test harness and described the problem to him.

His response?  "I never knew you could have spaces in a password!  Wow, I didn't even think of that."

 

Sigh.

On Microsoft operating systems, spaces have been legal in filenames since MS-DOS 2.0 (about 1982) and in passwords since MS-NET 1.0 (about 1984).  I'm astonished that 25 years later there are people who still don't know that.

Comments

  • Anonymous
    June 03, 2008
    I hear you man.  I encounter this sort of thing (not with passwords, but filenames) all the time.  I sympathize.

  • Anonymous
    June 03, 2008
    And thus, "Program Files" and "Documents and Settings" were born - apocryphally, to force the others that didn't know that filenames can contain spaces.  So when you see an app that wants to install in C:Litware, guess why (often, anyway)?   Heh, we had an issue with our app on 64-bit Windows because Oracle didn't like the parentheses in Program Files (x86).

  • Anonymous
    June 03, 2008
    (Eh, I don't know if you're as zealous about "don't name names" as Raymond, so bowdlerize accordingly.  I personally don't like to reward vendors with shoddy or lazy things like this and prefer to point them out.  I remember a post on "don't spam the quick launch/system tray/top of start menu with your crapware" and a comment was, "I wondeR who hE's tALking about" http://blogs.msdn.com/oldnewthing/archive/2003/09/03/54760.aspx#54762)

  • Anonymous
    June 03, 2008
    Mark, I try not to disparage other vendors, simply because it's stupid to point fingers - there's more than enough blame to go around. Sometimes you need a forcing function :).

  • Anonymous
    June 03, 2008
    Unfortunately, this isn't (to my knowledge) the only internal MS tool that fails at handling passwords with spaces in them - there are so many others that I had to give up on using spaces in my passphrases and instead smush everything up into one word. Makes for an interesting experience when you're trying to type your password out in a hurry. :)

  • Anonymous
    June 03, 2008
    Of course.  We all make mistakes, but then there's willful/negligent/lazy stuff (like Apple's new Safari "flaw"/"not flaw").

  • Anonymous
    June 03, 2008
    OK, but don't you get tired of typing long passwords? How often do you unlock your workstation?

  • Anonymous
    June 04, 2008
    The comment has been removed

  • Anonymous
    June 04, 2008
    The comment has been removed

  • Anonymous
    June 04, 2008
    Adding quotes solves this problem. But it would not solve the problem of Unicode characters in user name/passwords, which are also valid :-) I know, the console has /U and some level of Unicode support, but it is tough to tell in this case (testtool would need to use wmain, for instance :-)

  • Anonymous
    June 04, 2008
    The comment has been removed

  • Anonymous
    June 04, 2008
    Sure, Harry, if the test harness did something like "%password%" (assuming it uses batch file syntax) to call testtool, it could be foiled by a quote. But it is kind of scary that the developer didn't know the args could have spaces. Just don't put him in charge of validating Internet data.

  • Anonymous
    June 04, 2008
    The comment has been removed

  • Anonymous
    June 04, 2008
    I didn't know spaces were valid in a Windows password until I happened to be watching a Microsoft video a year or three ago.   Oh I knew all about file names having spaces but not Windows passwords. I'm a database developer specializing in MS Access for the last ten or fourteen years.  I've been using Windows at least that long.   Many, many users don't know that either.  I've asked around. I'd suggest adding some text to the Windows login screen.

  • Anonymous
    June 04, 2008
    The comment has been removed

  • Anonymous
    June 04, 2008
    This is why my password is 16 spaces - nobody would ever guess that!

  • Anonymous
    June 04, 2008
    Try installing Vista into "C:Windows Vista (x64)" instead of C:Windows then come back and tell us that spaces are legal in filenames.

  • Anonymous
    June 04, 2008
    Ooh, that's a new one. I've seen systems break horrendously with other characters (such as , ; or : ) that are used internally as separators, but I've never thought to try it with spaces. I wonder how many of our corporate apps would fall over at that one. That could make for a fun afternoon....

  • Anonymous
    June 04, 2008
    Spaces are also legal in usernames. We can't use a very expensive monitoring tool because the licence manager can't recognise our usernames.

  • Anonymous
    June 04, 2008
    The fact that you can create such a folder shows they are legal in filenames, obviously.  That software misbehaves or ignores this fact doesn't make it untrue.

  • Anonymous
    June 05, 2008
    The comment has been removed

  • Anonymous
    June 05, 2008
    The comment has been removed

  • Anonymous
    June 05, 2008
    Larry, you'd better tell that to your colleagues over at Windows Live. Just yesterday I was trying to change my password, and it wouldn't let me put spaces (it failed and complained about illegal characters).

  • Anonymous
    June 05, 2008
    The comment has been removed

  • Anonymous
    June 05, 2008
    budsbd: Live may have their own password policy, I was referring to Windows.

  • Anonymous
    June 05, 2008
    Sound like the test harness is open to "harness injection". How would it handle a password like "password &echo I am an evil injected script"? I initially wanted to write "format c:" there, but a test harness that installs Windows probably does that anyways.

  • Anonymous
    June 05, 2008
    The comment has been removed

  • Anonymous
    June 05, 2008
    The comment has been removed

  • Anonymous
    June 06, 2008
    Non-printable characters are legal for filenames/users/passwords as well (e.g. ALT-255), and can sometimes defeat validation on fields that don't allow just empty spaces.

  • Anonymous
    June 15, 2008
    The comment has been removed

  • Anonymous
    June 22, 2008
    The comment has been removed

  • Anonymous
    June 27, 2008
    Mr. Osterman informed me by e-mail that the fatgen103.doc document is incorrect and might get fixed. I hope someday to know the correct rules. Now for a comment about passwords.  Around 30 years ago I used a system where pressing just the backspace key would delete input of the previous character, but pressing shift + backspace would input a backspace character.  When setting my password I intentionally input a backspace character, and it appeared to work.  When logging in I did the same thing, and got logged in.  But later I learned that backspaces were illegal in passwords on that system.

  • Anonymous
    July 09, 2008
    The comment has been removed