11

I have recently setup "2-step verification" for my Google account.

One of the features is the ability to create "Application-specific passwords " for devices that do not support the 2 step process. (Apps on smartphones such as Android, BlackBerry or iPhone, Mail clients such as Microsoft Outlook, Chat clients such as Google Talk or AIM)

Google pic 1

When you create one of these passwords, Google tells you that the "spaces" don't matter.

Google pic 2

Does this mean that…

  • passwords are sent in plaintext, and they can therefore strip out the spaces on the other end (I know mail clients may do this, but would Google products such as Gmail and Calendar or ActiveSync)
  • the hashing methods they use strip out the spaces (but they wouldn’t be able to control how 3rd party products hash)
  • they store two hashes of the passwords on their end, one with spaces & the other without (If this is the case, wouldn’t they have to store more than two, one for each possible combination of 3 places where a space may be)
curiousguy
  • 5,028
  • 3
  • 25
  • 27
Corey
  • 321
  • 2
  • 10
  • Not sure how they implement it but just to note facebook do something similar. If your password is 'Hello' then 'hELLO' will work also. You would hope there is pre-processing to the hashing or multiple hashes. – Andy Smith Jan 17 '12 at 15:13
  • 7
    In this particular case your passwords DO NOT contain spaces. The reason google adds spaces is for the ability to present the password in a way, you can write it down, basically pretty print. I suspect the password is sent to Google in a matter, they can manipulate the string how they want, after all its not actually your password. – Ramhound Jan 17 '12 at 16:59
  • 1
    I also tested the Google Talk app, and it accepted multiple versions of the password with different spacing. – Corey Jan 17 '12 at 18:54
  • Perhaps this only works if Google is able to receive the plaintext password on its end (via an otherwise secured manner like SSL) which it can then parse and remove the spaces from. – Corey Jan 17 '12 at 19:00
  • 3
    @Ramhound However, they actually don't matter, in the sense that they work with or without spaces. I tried totally random spacing and they still work. – Corey Jan 17 '12 at 19:05
  • **It should be entered without the spaces.** I tried it on my old Nokia phone, and it worked only if I left out the spaces. Also when you copy it on the computer it copies without spaces. – lindhe Nov 09 '14 at 14:45

2 Answers2

11
  • Passwords are sent plain text, that's why you use SSL to set up a secure connection so no-one can sniff your communication. Suggest you would send a hashed password, it would still be able to just sniff the hash and forge a request, since the server would be expecting a hash instead of the password. (which is basically just a string again)
  • Storing hashes is primarily done to make sure when the database is hacked/looked into they can not see your password and try to re-use it on other accounts/services.
  • They possible strip off spaces before hashing the password. As you say yourself, keeping a password's hash for every possibility where a white space could be, would storing multiple hashes. Or the password is always constructed of four groups of four letters. Then it would be easy to first remove all spaces and then just split it up again in 4 groups of 4 letters.
user32421
  • 275
  • 1
  • 2
  • 7
Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • I'm not really looking at it from a security standpoint, only curious how they are dealing with the spaces. – Corey Jan 17 '12 at 19:02
  • 3
    ah, they just parse them :) – Lucas Kauffman Jan 17 '12 at 19:03
  • @LucasKauffman, Still it would be better to hash before it is put on the network isn't it? For when the SSL is flawed the attacker will not be able to get the password but just the hash – Pacerier Jan 26 '18 at 06:23
  • 2
    @Pacerier But in that case, the hash **is** your password. Since the server never gets the original password, the attacker never needs it either -- they can just send the hash. – SilverWolf Nov 04 '18 at 17:56
6

Most likely the answer is:

The passwords are sent to the Google server, over an SSL-encrypted channel. Thus, the Google server sees the password that the client has provided. The Google server strips off any spaces before hashing the password. Thus, you can think of the password as having no spaces (the spaces are added only for display). Or, you can think of the password as having spaces, but the hashing process ignores spaces. Either way, it is equivalent in the end.

3rd party hashes are irrelevant. The hashing is done by Google servers, so all that matters is how Google hashes the password.

D.W.
  • 98,420
  • 30
  • 267
  • 572