Asus new firmware doesn't allow spaces in WPA2/WPA3 passwords

[Kritiker]

So, no one who can tell me why? Just "because"? I really would like to know.

I haven't been able to find anything about (recent) problems with spaces but I have found things like the following from InfosecMatter from 2021-04-10 :

Can passwords have spaces?​

Yes, passwords can contain spaces. There is absolutely no plausible reason for disallowing users to use spaces in the passwords. However, there might be certain situations where using of spaces is restricted, e.g. due to various technological limitations or obsolete (legacy) password policies.

Historically, using spaces in passwords was not a recommended practice, pointing out the fact that some major online platforms are not allowing it along with a variety of other software not allowing it.

A lot has changed since then.

Today, practically all modern applications, systems and websites allow you to use spaces without a problem.

All major operating systems (Windows, Apple, Android or Linux), popular social media platforms (Facebook, YouTube, WeChat, Instagram, TikTok, Twitter, Pinterest ..), freemail providers (Gmail, Yahoo, Hotmail, ProtonMail, AOL Mail ..) and practically any other modern software or online service, will allow you to use a space character in your password without any problem.

 

[ColinTaylor]

So, no one who can tell me why?

No, because we're not Asus and this is not an official Asus support channel. I suggest you try and contact Asus directly (but don't hold your breath waiting for a sensible answer).

 

[Yota]

So, no one who can tell me why? Just "because"? I really would like to know.

I haven't been able to find anything about (recent) problems with spaces but I have found things like the following from InfosecMatter from 2021-04-10 :

A good guess is that because they implemented encryption of the password, so no longer compatible with the space, which means that there is also no plaintext password in the nvram (place to save the router configuration) Before this, people could SSH into routers to get plaintext passwords, which makes it easy for malicious scripts to obtain these sensitive content. Their encryption and decryption programs may not have compatible the space.


Edit
Incorrect assumption, see here for reasons

 

[Yota]

I support spaces anyway, it's a supported symbol. Although whitespace has created many compatibility problems in the past and present, these problems are caused by developers not handling special characters well, not users.

Whether it's a device that doesn't support entering spaces, or on a system because the programmer didn't escape spaces properly, or forgot to put double quotes, it's the developer's fault, not the user.

When in 1990 Windows started to provide filenames and folders that support spaces, it was a huge improvement, because before that no one could use spaces in directories or filenames because the system didn't support it, but when the system did support it for people brings countless possibilities.

It's like when a developer tells people, "It's more efficient to have a circular wheel" and then they say "We can't make a perfect circle, keep using square wheels". This will only lead to a lack of creativity, and keep us from progressing.

Can you accept that when you played Tomb Raider in 1995 and saw "square wheels", then 27 years later they are still square?



Here, when we talk about spaces, we are actually talking about a very simple question, which is should the user accept the laziness of the developer, or should the developer accept the laziness of the user? The answer depends on who is using that "space", the user or the developer? If it's a user, then it's the developer's responsibility to support it, as it will make it easier for the user to type.

I still remember back in the 1990s, Windows advertised that one of their advantages over the competition was support for spaces, and even later they forced developers to support spaces (put the program default folder at "C:\Program Files") so developers "Spaces" must be supported, which makes Windows' UI a better user experience.

That's why Windows win the market because they provide a better user experience and they know they're targeting users, not developers. Developers make programs for users, not users learning how to program. The users of Asus routers are not only developers, but also users without professional background.

 

[L&LD]

Or, learn/implement one simple rule, no spaces, and sidestep all this once and for all.

 

[Kritiker]

Thanks, @Yota for your well-reasoned reply. You said it better than I could have.

And yes, @L&LD , that is the answer going forward with my Asus routers. I am not about to get Asus to change so I really don't have a choice. But I don't have to like it and I can ask why.
[Aside: I have found some of your posts most informative. Thanks.]

And @ColinTaylor, I wasn't expecting any kind of "official" answer.

I was getting the impression that I was missing something obvious, that the other posters knew, and I was just hoping they'd tell me.

I appreciate everyone's time and attention. Thanks.

 

[Tech9]

Space is a valid character. My Guest network password is 3 separated words for years. I use a different Wi-Fi system though. Asus has a problem with it.

 

[TexasFlood]

Space is a valid character. My Guest network password is 3 separated words for years. I use a different Wi-Fi system though. Asus has a problem with it.

I have spaces in my network passwords. I know it was an issue in the past but thought that was history. If I have to change them then I will but would rather not.

 

[Tech9]

Asus hit some issues and decided to limit the user. Problem solved the easier way.

 

[Yota]

Asus hit some issues and decided to limit the user. Problem solved the easier way.

If they can't handle spaces when encrypting/decrypting passwords, then they should hire a better programmer instead of dropping support for spaces.


Edit
Incorrect assumption, see here for reasons

 

[L&LD]

Why 8 Alphanumeric SSID Characters

 

[XIII]

If they don’t store the password in plain text, but properly hash it, a space should be no problem at all (as input for the hash function).

So I’m kind of worried by the fact that they don’t allow spaces…

 

[Yota]

If they don’t store the password in plain text, but properly hash it, a space should be no problem at all (as input for the hash function).

So I’m kind of worried by the fact that they don’t allow spaces…

No, the router must know the WPA key in order to use it to establish a valid WPA handshake. So, the router cannot just store the hash of the password.

Asus currently only encrypts the password in nvram and saves it in a human-unreadable form, but if you know the encryption and decryption process, you can restore the plaintext of the password.


For the password for logging into the router, Asus also uses the same encryption, but they also can't just hash, because when the user logs into the router via SMB, the SMB server needs to know the correct password.


Edit
Incorrect assumption, see here for reasons

 

[dosborne]

Just when I was going to changing all my passwords and passphrases to 6 or 8 spaces.... Asus has to step in.

Lol

For more historical reasons why spaces were not used, a space was considered a delimiter character making it near impossible to enter a password on a command line for example. This was was fixed with enclosing parameters in quotes when required, but again was a legacy thing that should not really be valid today. When I grew up there was no GUI, or form entry, etc and we knew to avoid spaces at all costs in anything possible. It has actually been hard to adapt this behaviour in recent years to include "symbols" when forced as my brain clings to alphanumeric (being A-Z, 0-9) still.

 

[OzarkEdge]

I am afraid to touch any configuration, or upgrade any service, for fear of having something far more serious, possibly far more time-consuming, than disallowing spaces in WPA keys, happen.

Welcome to the club... permitting spaces in passwords would not change this.

OE

 

[Kritiker]

In switching my WPA2 keys from phrases like "1st time lucky..." containing spaces to keys like "1tl..." I was "reminded" to watch out for "l" vs "1" confusion. Even in fonts where they are different, the difference is sometimes hard to notice if they aren't close enough together. I had an "l" in the key but no "1"s and I didn't notice, at first. We solve one problem and another pops up.

"Whack-a-mole" any one? ;-)

 

[Kritiker]

Here's something I would never use as a WPA2 key,
4F2043616E616461210A4F757220686F6D6520616E64206E6174697665206C61
but it works, and it "contains" blanks, an exclamation mark and a line feed. Just a bit of levity. Sorry!

 

[OzarkEdge]

In switching my WPA2 keys from phrases like "1st time lucky..." containing spaces to keys like "1tl..." I was "reminded" to watch out for "l" vs "1" confusion. Even in fonts where they are different, the difference is sometimes hard to notice if they aren't close enough together. I had an "l" in the key but no "1"s and I didn't notice, at first. We solve one problem and another pops up.

"Whack-a-mole" any one? ;-)

You can still use phrases... just omit all characters except the first letter of each word.

OE

 

[Martinski]

No, the router must know the WPA key in order to use it to establish a valid WPA handshake. So, the router cannot just store the hash of the password.

Asus currently only encrypts the password in nvram and saves it in a human-unreadable form, but if you know the encryption and decryption process, you can restore the plaintext of the password.

Am I correct in assuming here that the part about "encrypting the WPA password in NVRAM" is just speculation even though it's not clearly indicated as such? Or perhaps you meant to say that this is the case for the newer "AX" router models, but not for the older "AC" models. Is this what you mean?

Currently, I don't have access to any "AX" models; but so far, with all the ASUS routers that I do have access to (RT-AC68U, RT-AC86U, RT-AC88U, RT-AC5300, GT-AC5300) I can see that all WPA PSK strings are *not* stored in NVRAM in an encrypted form at all. They're all found in human-readable, plain-text format.

You can check & verify this by typing the following command on your router via an SSH terminal window:

nvram show | grep "_wpa_psk"

 

[ColinTaylor]

Currently, I don't have access to any "AX" models; but so far, with all the ASUS routers that I do have access to (RT-AC68U, RT-AC86U, RT-AC88U, RT-AC5300, GT-AC5300) I can see that all WPA PSK strings are *not* stored in NVRAM in an encrypted form at all. They're all found in human-readable, plain-text format.

The same is true on the AX models. The WiFi passwords are not encrypted. It is the main "admin" password that is encrypted as well as the Samba/FTP accounts.