No Text Logo

Invisible Password Experiment A : Real World Twitter Test

blank

Introduction:

While conducting an account Testing Audit, we discovered a flaw in one of Twitter’s Authentication API endpoints. The service will accept passwords consisting entirely of invisible Unicode characters—no letters, numbers, or special characters needed. This trial records our approach, results, and significant insights for digital security.

Test Methodology & Setup

1. Tools and Test Environment

We repeated the Hangul Filler character (U+3164) construction 15 times with [No Text Tool], which produces a valid, but visually empty, Unicode character string. For this experiment, we had to create a disposable email account ([email protected]) to not violate any policy.

The testing was conducted on two environments:

You Can See The Registration Process

  • 1
     Chrome (Windows 11)
  • 2
     Firefox (window 10 )

2. Account Creation Process

The pasted invisible characters were received successfully without mistakes after pressing OK in the password field. Twitter’s complex validator passed “empty”, so I guess Twitter’s looking for character presence, not visibility.

We Sign in to twitter with invisible spaces

  • 1
     Key Experimental Findings
  • 2
     Disillusion: You especially won't teach them if they don't feel like they need to
  • 3
     Emotional Avoidance — Some people avoid responding due to fear of conflict or uncomfortable situations.

Key Experimental Findings

1. Desktop Authentication Success

Several rounds of login/logout turned out to be working smoothly across browsers. And the developer tools confirmed the provided password was:

Copy Hex values: Byte length:
Download
U+3164 x15
30 bytes (UTF-8 encoding)

This is evidence that the back end of Twitter interprets Unicode whitespace as valid input.

2. Critical Security Risks

The experiment revealed two alarming scenarios:

  • 1
     Account Recovery : If you forget your password, Twitter May ask for your old password to verify.
  • 2
     Terms of Service Violation : This technique is, however, legally questionable -- Twitter bans "non-standard characters" (§3.2) outright.

Technical Analysis: Why This Works

Unicode Handling in Authentication

Twitter’s authentication process seems to:

  • 1
     Character count (Minimum character length)
  • 2
     Check for UTF-8 validity
  • 3
     Ignore the Visibility Unicode properties.

While financial institutions may strip whitespace, Twitter retains an exact match of the input—a tradeoff with some interesting implications.

Security Implications

Advantages

  • 1
     Preventing dictionary attacks (can't guess any words)
  • 2
     Prevents shoulder surfing (field is blank)
  • 3
     Misleads simple keyloggers , which only record the visible characters + Escape Key, and it records it in a hex format.

Dangers

  • 1
     No fallback for losing password
  • 2
     Sudden Actualization of Policy Effectiveness
  • 3
     Mobile access instability

Ethical Considerations & Warnings

Research-Only Application

This test was conducted under controlled conditions using disposable accounts. Westrongly discourage real-world use because:

  • 1
     Twitter could ban Your Account.

Developer Recommendations

Platforms should implement:

python Copy Download
def validate_password(password):
if not any(c.isvisible() for c in password):
raise InvalidPasswordError(“Contains no visible characters”)

Conclusion & Next Steps

Key Takeaways

  • 1
     The Unicode handling behavior of Twitter's auth system was unexpected
  • 2
     Invisible to the user, but at a recoverability cost
  • 3
     Do not do this with crucial accounts ever.

Upcoming Experiments

In Experiment B We  Will test Facebook Password Against invisible characters.