Disallowing characters in a password?

+2 A:

Why would you want to limit characters in a password? You should be doing some sort of hashing anyways. My passwords frequently contain special symbols including ones that aren't included on the keyboard.

If you want limitations, they should only require them to be more complex, not less.

Daniel Egeberg 2010-07-03 09:03:57

"special symbols including ones that aren't included on the keyboard", like what?

Alix Axel 2010-07-03 09:20:02

on most of the keyboard, those letter don't appear : æøå

Stephane 2010-07-03 09:25:54

@Alix Axel: Random unicode characters or things with chr(c)>127. My password are long and randomly generated. They're stored in an encrypted database on my computer (KeePassX specifically).

Daniel Egeberg 2010-07-03 09:34:40

I wonder what happens if you choose the unicode mirroring character (`U+202E`) as part of your password. Would the hash algorithms detect that or hash the password in reverse? It would be a nice thing to try.

Alix Axel 2010-07-03 10:17:07

+3 A:

There is no technical reason to disallow any characters in a password. I guess in the case you describe, they would allow only alpha-numeric characters to avoid problems on the user's side (say, by entering a character that isn't available on keyboards in another country).

Many providers and sites force users to choose very complex passwords containing a minimum number numbers and, sometimes, evenb special characters to prevent brute-forcing or dictionary attacks.

I don't think forcing people to choose a complex password is wise. Passwords you can't remember, you will write down somewhere, which is often creating a much bigger security risk in real life.

A simple rate limit in the login system (e.g. deny access for 15 minutes after 3 failed login attempts) takes the edge off the brute-forcing threat much more elegantly.

One doesn't have to agree 100% with it, but I found this provocative paper on the subject from Microsoft Research very interesting. So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users

From the abstract:

It is often suggested that users are hopelessly lazy and unmotivated on security questions. They choose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort.

Pekka 2010-07-03 09:08:43

+1 for not forcing. =)

Alix Axel 2010-07-03 09:23:34

+1 for no restrictions. I distrust sites that feel the need to restrict my password - it makes me wonder why they feel the need to restrict it, and how they are storing it.

Mike 2010-07-03 09:28:53

Writing down your complex password isn't as much a security risk as not writing down your weak or "easy to guess" password. Most attacks are made remotely. If people have access to your desk where your written down password is, they will also be likely to have physical access to your computer with cookies that keep you logged in. That is unless you encrypt your harddisk, but I don't know any non-geek that does that.I don't think a lockout system is a good idea. It will be too easy doing a DoS against your users. All I have to do is make a few failed attempts on your account to lock you out.

Daniel Egeberg 2010-07-03 09:39:14

@Daniel good points re remote attacks, although I'm nevertheless strictly against forcing secure passwords upon people. I also really think a lockout system is a good and tested thing. I see lots of big, mass-market providers use one, something they couldn't do if they had a lot of problems with DoS attacks. The possibility of locking out a user still remains, that is true.

Pekka 2010-07-03 09:54:45

@Daniel: Most good lockout systems only lock the specific IP or IP range after x failed attemps, not the whole Internet, and they can even show a CAPTCHA to unlock the lockdown.

Alix Axel 2010-07-03 10:12:23

@Alix: I was thinking of systems where they lock out the specific account. My university does that. It would be trivial getting people to fail a course by preventing them from uploading their answers to obligatory assignments.

Daniel Egeberg 2010-07-03 10:16:58

+2 A:

The only thing I disallow / strip in passwords is whitespace, there is no reason to forbit anything else.

Alix Axel 2010-07-03 09:10:48

Mm, I'd say that depends on the target audience of the service you're offering. If they're travelers, I'd be cautious. Say you are on vacation in a country where your local Umlauts (`äöüß` in my case) are not available on the keyboard. Most people don't know the Alt+xyz codes to get them. It's not your fault they chose the wrong password in that case, but it may do everyone good to prevent it.

Pekka 2010-07-03 09:12:36

In Portugal we don't use Umlauts for any word yet all keyboards cömë with it. Still, people are not stupid, if they choose a password with Umlauts they should know how to get them (maybe via on-screen keyboard or character map). I hate websites that restrict passwords to alpha-num-dashes, a larger and more internationalized charset could be studied but I doubt it would be accepted / remembered by everyone.

Alix Axel 2010-07-03 09:19:14

@Alix interesting about the portuguese keyboard layout! Still, there are so many umlauts that aren't available elsewhere. I can easily see a german user choosing a password containing `ß` and then being unable to log into their E-Mail in the Internet café on Mallorca. Most users don't know how to get the character map - the site would have to provide a keyboard on Logon.... I agree with you though that limiting length and disallowing uppercase is just plain stupid.

Pekka 2010-07-03 09:28:20

+2 A:

When I enter passwords, I normally like to write longer sentences that i can remember instead of p"%&/k1 or the like.

So make sure you allow your users to write passwords longer than 10signs. It always frustrates me, when I am forced to enter a short password with special characters instead of a longer one that would be more memorable and safer.

SwissCoder 2010-07-03 09:18:44

You wont believe this but one of the major ISPs in my country restricts passwords to 6 to 8 0-9a-z chars. They don't even allow uppercase, I get blaffed by their stupidity.

Alix Axel 2010-07-03 09:22:18

A:

I only disallow characters that can't be typed on a standard keyboard. There's no reason why a user can't choose a secure password with 26 uppercase and lowercase letters, 10 numbers, and 20 something symbols.

If you're doing a login system for a public site, instead of forcing users to choose a secure password, I would recommend using OpenID. That way, the user doesn't need to remember a new hard-to-remember password just for your site.

Exception 2010-07-04 05:49:59

A:

Don't mess with the user's password.

Just make sure that you are using a consistent encoding and rules in all stages of your password handling. In your case encoding shouldn't be a problem as you are storing salts.

As examples, I've come with stupid rules like passwords being limited to 4 digits (!!!), only alphabetic characters (a-z), and some academic website silently truncating passwords to 10 chars on registration and then failing when you tried to login with the long password.

asr 2010-07-06 10:17:06

how did I end up answering a week-old question with an already accepted answer ?

asr 2010-07-06 10:35:32

ansaurus

tags:

views:

answers:

Disallowing characters in a password?

related questions