New Password Guidelines from the National Institute of Standards and Technology
venturebeat.comPunching through to the actual draft, I see this allowance for passwords:
"Verifiers MAY remove multiple consecutive space characters, or all space characters, prior to verification provided that the result is at least 8 characters in length."
It really stands out compared to the transparently-reasoned requirements around it, though this rationale is provided later:
"Users should also be able to include space characters to allow the use of phrases. Spaces themselves, however, add little to the complexity of passwords and may introduce usability issues (e.g., the undetected use of two spaces rather than one), so it may be beneficial to remove spaces in typed passwords prior to verification."
I still dislike that it breaks the "just hash what I enter" axiom. (normalizing unicode aside, obviously) At least it's "MAY"!
Ugh with the headlines. It's a DRAFT.
This doesn't change NIST guidelines or PCI requirements or anything. (Yet.)