Do spaces in a passphrase really add any more security/entropy?

No (with a minor exception at the bottom).

The passphrases "correct horse battery staple" and "correcthorsebatterystaple" are equivalent entropy-wise. Choosing to put spaces in an incorrect spot or sometimes including spaces and sometimes not including spaces will give you a few extra bits of entropy; but its not worth it for the extra difficulty remembering it. You'd gain a few bits of entropy for the entire passphrase for weird spacing pattern; while just adding another word would add about 13 bits (assuming a diceware dictionary of 7776 words corresponding to 5 rolls of a six-sided dice; note that lg(65) = 12.92; lg being the base-2 logarithm). (There's no disagreement between my answer and Thomas's; an attacker would have to check for passphrases both with and without spaces unless he had extra information about whether you tended to use spaces in your passphrases).

Beware the distinction between random words and meaningful sentences. A passphrase "quantum mechanics is strange" is much lower entropy than say "heat fudge scott canopy"? Why? In meaningful English you have patterns like certain words combine frequently (quantum mechanics) or certain patterns must appear to be grammatically correct (subject, predicate, subject complement) that in principle could be exploited by a sufficiently sophisticated attacker (even though I am not aware of any cracking algorithms that currently utilize this). The informational entropy of grammatically correct written English is about 1 bit per character so the first passphrase has ~30 bits [1], while the second passphrase has about 4×12.9 ≅ 52 bits of entropy; so would take about 222≅4 million times longer to crack.

Be wary of incorrect analyses like http://www.baekdal.com/insights/password-security-usability that make many fundamental information theory mistakes. E.g., "this is fun" is incredibly weak being comprised of some of the most common English words in a syntatically correct sentence that is very common ('this' ~ 23rd most common; 'is' ~ 7th most common; 'fun' ~ 856th most common word) [2]. If you tested just three random words from the top 1000 english words, it would take you only 1 second to crack it, assuming a modern GPU and you have acquired the (salted) hash. This is roughly equivalent to a 5 random alphanumeric characters (not counting special symbols). If you search google for the quoted phrase "this is fun" it appears 228 million times.

EDIT: Minor exception: in the rare case when consecutive words in your passphrase form another word in your dictionary (or your attacker's dictionary), then not having spaces (or another separator) between words lowers your passphrase's entropy significantly. For example, if the random words forming your passphrase were "book case the rapist" and you had no spaces, an attacker could get in by trying all combinations of just two words 'bookcase therapist'.


Spaces in a passphrase add entropy exactly insofar that they could not have been added. An important point is that an attacker cannot test for a partial match on a password; contrary to what Hollywood movies tend to suggest (in a most graphic way), there is no such thing as a "partial decryption" (where the text is partly legible, but blurred) or a "partial password". The attacker has the exact expected password, down to the last comma, or nothing at all. This is a login system, not a game of Mastermind.

For instance, suppose that you make passwords by randomly selecting four words in a list of 2048 "common" words, and appending them (the "correct horse battery staple" method). We assume that any attacker knows that you are selecting passwords that way (e.g. that's the "official password selection method" promulgated by the sysadmin). How much entropy is there in such a password ? That's easy to compute (assuming you are really selecting things "randomly", with dice, not with your brain): there are 2048*2048*2048*2048 = 244 possible passwords, which all have the same probability of being selected. Hence, 44 bits of entropy.

Now, suppose that the selection process also states: "You shall concatenate the four words without any space". There are 244 possible passwords, so 44 bits of entropy. Assume now that the rules say: "You shall always put a single space between two words". There still are 244 possible passwords, so still 44 bits of entropy. But suppose that the rules say: "you shall either separate the words with spaces, or concatenate them all together (throw a coin to decide one way or another when you choose your password)", then there suddenly are 245 possible passwords (still with equal probability): entropy is now 45 bits.

Even more generically, if the password selection process entails throwing a coin three times, to decide for each slot between two words if there should be a space or not, then entropy rises to 48 bits. But note that this is not "free": you get more entropy, but you have to remember more, too (namely where you put the spaces).


On a practical note: on a typical keyboard, the space bar, when pressed, emits a slightly different sound. If your office colleague has a keen ear, he may notice whether you use it or not, and possibly at what places. Also, your colleagues perfectly knows the password selection rules which are advertised in your organization, since he is, by definition, in the same organization than you. So I would advise against using spaces as source of entropy. Especially if you use the "four words rule" and not all words in the list have the same length: the long-eared colleague may deduce the length of each word by hearing the spaces when they are typed.


The simple answer is yes, but not very much. Think about the character space - if you are looking at alphanumeric including upper and lower case that gets you 62 chars (a-z, A-Z, 0-9). Adding {space} means 63 chars so you have improved by 1/62

Contrast that to adding an extra character which increases your entropy exponentially.