A question for the cryptologists and computer people in the audience

[andrewducker]

Is there any good reason to forbid people from having punctuation in their passwords?

Comments

[jack]

I'm not a crypto person, but when I consider it I'm torn between two opposite impulses:

1. If you allow any sort of "special" characters (punctuation, non-ascii, null, etc), they may come back to bite some other part of the system, even if you properly encrypt the password and never do (or are able) to send the password out again.

2. Any user-supplied data and especially passwords should be stored as opaque text, so should be able to accept any characters and work just the same, and if it can't that suggests you're concatenating it or not encrypting it, both of which are big big no-nos.

[gominokouhai]

Maybe as a hamfisted attempt to prevent escape characters for code injection attacks?

[flick]

I remember, back in the day, having two punctuation marks in my Egg password. It wasn't a problem online, but when you phoned them the password check was an automated system that went "press the number corresponding to the position in your password of the following character" and, for the punctuation marks, that was just silence....