What are standards for characters allowed in text fields

Question

What are the typical characters allowed in text fields in a new user sign-up? Are there www standards? Especially interested in Username and Password character types allowed.

Answer 1

PLEASE allow apostrophes for all of the O'Briens, O'Malleys, O'Reillys and other apostrophed names!

Answer 2

I prefer to be able to use alphabetic, numeric, and special characters to create my passwords. I really hate it when sites deny me the use of special characters, particularly !@$*.

Answer 3

Don't restrict password characters. The more characters available, the more secure passwords can be. There's no good reason to forbid spaces, for example, in a password.

For usernames, it depends on where they will be displayed. If you plan to give users there own profile URL, you would want to limit characters much more than if not.

Just don't forget to escape user inputs when you output them again.

Answer 4

What reason would you have to ever deny any characters? You should just allow everything, with the possible exception of the null character. You will have to encode usernames when you print them on your site to avoid cross-site scripting problems, but you probably should do that anyways even if you're filtering the "dangerous" characters just to be safe. Allowing all characters, especially for passwords, greatly increases usability (and security, in the case of passwords). Also, keep in mind that some users may want to input UTF8 characters if they have accents in their names (or if they're using a non-latin alphabet like Chinese or Russian).

Answer 5

Passwords should, as an absolute minimum, allow every character available from the keyboard in your target locale(s).

Answer 6

If you do restrict characters, it shouldn't be for security (e.g. preventing quotes so people can't insert SQL). Your code should be able to handle any characters in an input string, by properly escaping them whenever they're sent somewhere. But it's fine to restrict them for business reasons, or for certain other practical reasons (e.g. Zach's example of a URL).

Answer 7

Will your application be used by any non-english users?

At the very least allow European characters like á à é è ì.

Of course if it has to be truly internationalized then you have to allow any characters in languages like Chinese and Arabic.

Looks to me like you can't really make a list of allowed characters if you don't want to make anyone mad.

If you want to do this for security purposes, I would recommend escaping the necessary characters before trying to use the string instead of filtering up front.

Answer 8

• Password fields should allow any characters (you're just going to hash it anyway, right?)
• Text fields should not be limited to specific characters (e.g. [A-Za-z]). Else you will be disallowing people who need (or want) to use accent characters. From a database/processing side of things, you will be escaping or using binding to save your data.
• If you have a specific field that you know can only accept a specific character set (business reasons, etc. as mentioned by JW). For example, forms that are meant for a US-only audience may restrict to numbers and a dash for postal codes.

Answer 9

too add to what others have said: password: anything and everything, but do hash them (of course)

username: everything, except, possibly a space... or multiple spaces (ie., single space is ok, more than one space = 1 space)

Answer 10

Don't restrict anything and if you want to give users their own URLs either use a numerical ID or ask the user to make make the name for the URL. Never display the user's user name, display their display name (which should be limited to anything except dangerous Unicode characters) and asked for after sign up.