Should users be allowed to use any special character they want when creating a password?

Question

I came across a number of login configuration settings where there is a list of allowable special characters and was wondering:

Does this limitation cater for a specific security or usability need?

Example: A list of special characters supported by Oracle Identity Manager and Microsoft Active Directory for password field :

Update:

Thanks everyone for the generous response!

Every time I have asked a question that involves security and usability there seems to be a clear divide between proponents on each side. However this need not be as this is one area that requires a lot of compromises and trade-offs… UX depends on it!

Answer 1

If the user can type it then it should be allowed in their password.

Telling someone what they can and can't use in their password always feels wrong to the user. Passwords are currently the most universal way to authenticate. Preventing users from entering anything is, in essence, telling them who they can or can't be.

1. Any printable character that a user inputs should be allowed.

The following characters are okay...

'A', 'a', 'á', 'Æ', 'æ', 'Ñ', 'ñ', '-', '_', ' ' (space), '\t' (tab), '\n' (newline), ...

Just because I don't know how to submit a TAB or ENTER character as part of my password doesn't give me the right to prevent others from doing so.
(Don't worry, few people will try to submit an ENTER character as part of their password but allowing the few that do will earn their respect.)

2. Keys that don't display a printable character should not be allowed.

The reasons for this should be obvious but for completeness I will mention the following keys which can be detected but are reserved for other actions. For example, a password input shouldn't record that the shift was hit multiple times...

[ctrl], [alt], [shift], [arrow keys], [apple key], [windows key], etc.

3. Not allowing certain characters makes users question your security.

When you prevent users from putting certain characters in their password it not only annoys people but causes many of them to question what else you are doing that isn't secure.

You may as well be saying...

"Hey we don't want to fix our application to properly deal with special characters so would you mind helping us out by making your password less secure?"

The rules below will allow for secure input while preventing a user from ever getting stuck:

• Don't show the characters that the user is typing in password fields (there are some exceptions on mobile)

• Having the user type in their password twice is usually sufficient in letting them know that they got it right (i.e. didn't accidentally add unintended white space etc.)

• Having a password reset mechanism is important to handle any cases of accidental lockout.

4. Encouraging a user to add more isn't the same as prohibiting characters.

One way to help a user come up with a secure password is to make a game out of it...

5. The future of authentication

"The Tech That Will Kill Passwords Dead" is a pretty good gizmodo article discussing the problems we all face with passwords. It also talks about some new patterns that could possibly replace passwords one day.

Many mobile applications are starting to allow users to show or hide passwords in plain text in order to increase ease of use and remove one barrier to entry. I would still avoid this because the problem it creates is worse than the problem it solves.

Even with a very intuitive mechanism for showing/hiding a password 60% of users still say it feels wrong to see passwords in clear text.

According to that same article it appears that Touch ID is on the right track and easily wins as far as usability is concerned. Touch ID still has some major problems that make it impractical. The biggest being that it only works on select devices and has issues with one person controlling multiple accounts.

Facial recognition is another contender as an increasing number of high pixel density cameras make their way into the world but this approach often leaves people worrying about privacy.

The one problem shared by all of these new authentication attempts is this: You are the password.

It's actually a lot easier to fake who you are than what you know. In addition, once you've been compromised it's nearly impossible to change (your fingerprints for example)

Passwords are the authentication mechanism of choice for a good long while so...

Please don't place arbitrary character limitations on my password. Thanks!

Answer 2

If a site requires that passwords only contain certain character codes, then a user will be able to enter the password into almost any device which is capable of producing those characters. If the password contains character codes which may be entered on some devices but not on others, then a user who creates a password on a device which could enter the codes contained therein but then later needs to log in with a device that can't, would be effectively locked out of his account.

On almost any reasonable platform, the 94 printable ASCII characters will be clearly distinct. Even if a font annoyingly uses identical glyphs for I and l, or for 0 and O, people who enter such characters will generally have no doubt about which they entered. By contrast, on some platforms a user might think he's entering a character like ɸ when he's actually entering a φ; if such a user moves to a machine where characters are entered differently, he may be unable to access his account unless or until he can figure out what characters he might have used in entering his password.

Things get further complicated if one factors in things like combining diacritical marks. Some characters like ë have two legitimate representations--either a single "Latin Small Letter E With Diaeresis" [code 0x000EB] or a "Combining Diaeresis" [code 0x00308] followed by "Latin Small Letter E" [0x00065]. Some devices may not allow the user to control which form is entered. Ideally the password would be converted to a known normalized form prior to hashing, but it's far from certain that all code which tries to "normalize" Unicode strings will always work the same way (even if it's specified to, that doesn't mean it actually will).

Answer 3

I would like to add to DaveAlger's point. I, like many people, create algorithms in order to better remember passwords. I've spoken to many people (in an informal manner) about passwords and I have heard a lot of objections

• why can't I use a part of my email or my username in my password?
• why is there a character limit? (affects my algorithm)
• why can't I use special characters?
• why must I use upper case, or numbers, or special characters?

Just about everyone is frustrated when they're forced to change their password. IF the password submitted is considered insecure (example 1234, 1111 or qwerty) then tell the user that the password is rejected as it considered insecure. But make certain that the password is indeed insecure even it doesn't meet some individual requirement.

Password blueOrangeMetsWasSheaNowCiti is safer than #$78rt even though it doesn't use numbers or special characters.

Limiting does not help usability as it can only frustrate users and, while I'm not a security expert, I cannot see how limiting a character set can, in any way, aid in securing a system.

Answer 4

It can make sense from a usability and support perspective.

If the character isn't possible to type on a keyboard/phone without using alt codes or copy-pasting.

Keep in mind that the most active internet enabled devices have touch screens. Your user could create the account from their laptop, then try to access the account with their phone, which isn't capable of entering in the Æ character.

And all whitespace characters should be cleaned as a generic space, trimmed from front and back, and multiple whitespace characters back to back being ignored and treated as a single whitespace. Why? Because lots of things have issues with whitespace, especially leading, trailing, and multiple whitespace characters in a row.

While you should probably allow whitespace (people like to use phrases now), you might want to inform your user how you tidied up their password, but that they don't need to worry about it if that is how they are used to entering it.

Also allowing unicode characters that then need to be piped over HTTP is another potential support ordeal.

Answer 5

It depends.

If you've got reasonably strong control over the password input mechanism (keyboard layouts, software stacks, etc.), then letting users freely input anything they want is a good idea, because it maximizes the available password space. Someone attacking an English-language site probably won't try even obvious things like "كلمة المرور" (which Google Translate assures me is Arabic for "password"). In such a case, encoding mix-ups don't really matter, since any mix-up will be the same across all systems, canceling itself out.

On the other hand, if you're trying to support as broad a range of systems as possible, you should restrict passwords to the 95 printable ASCII characters, in order to keep programming and support nightmares to a minimum. Supporting everything means dealing with homoglyphs (Α, А, and A look identical to a human, but have different byte values), duplicate characters (the "micro sign" µ and the "Greek lowercase mu" μ represent the same character, but are encoded with different byte values), different composition forms (ñ and ñ look the same, but the first is an "n" followed by a combining tilde, while the second is a single precomposed character), and different ordering of combining charcters (ế can be expressed as either "e + acute accent + circumflex accent" or "e + circumflex accent + acute accent", which a computer sees as different) -- and that's just within Unicode. Garbled encoding transformations can mean that somebody's attempt to enter "Pässword" on an ISO 8859-1 system gets interpreted as "Pδssword" by an ISO 8859-7 system.

Answer 6

One problem that I've seen with non-ASCII passwords is that some systems deal with characters and others deal with encoding-specific code points. The "א" character might be represented in different ways depending on encoding, and sometimes the same character may be represented in any of multiple ways ("é" could equally be U00E9 or U0065 U0301).

Consider the Python2 -> Python3 transition. Serializing "שלום" in Python 2 and then comparing to the same value serialized with Python 3 will result in FALSE as Python 3 due to the changes in the way strings are represented internally in Python.

PHP has a similar mishap: it deals with bytes, not characters. So a user who has input "שלום" on a page with CP-1252 encoding may not be able to log in on a page with UTF-8 encoding. Combine this with the host of encoding issues that were inherent in using the mysql_* drivers (less so in the PDO drivers, which make it easier) and the problem is compounded.

In PHP I've dealt with the issue on non-English websites by ensuring that I'm properly connecting to the database via UTF-8 (Much easier since PHP 5.3.3 but problematic before that, even with PDO, so much so that I still remember the critical version number), using prepared queries and proper hashing, and that I'm always serving the page as UTF-8. However I've seen no end to the problems that my less pedantic colleagues face with the issue.

Answer 7

Yes, unfortunatelly, the restrictions on characters the user can use in the password have sense from the UX perspective.

If you're operating a worldwide service, you'd like your users to be able to log from all places of the world. If it's the case, you must take into account, that unfortunatelly, the keyboards are not standarized.

Event the layout of the basic characters is variable. For example, in Germany, gods know why, they've exchanged 'Z' with 'Y' and they've done a complete mish-mash with other characters.

Event if you, as a user, manage to find given button on the keyboard, it's still most likely you won't be able to type 'national' characters of your choice, because every country has own keyboard layout (virtual, or in extreme cases, like in Germany, even physical) and allowing any user to choose any keyboard layout is not an option, at least not in Windows machines.

Please note, that most users are not aware of that issues.

So there are practical reasons for limiting the choice of the characters one can have in the password to the set that can be (probably) typed by any user from any machine.

Answer 8

Authentication and security are critical. A security breach will kill you.

Do you have any idea what goes on between a keyboard and server? You have normalization, encoding, ambiguities in Unicode, serialization, NAT, man-in-the-middle, and other measures. That is a secure end-to-end transaction that is used for the entire session. Bad guys want to take advantage of any of that stuff.

A common security practice is to limit the attack surface and protect it like a soldier.

This is not programmers being lazy: it is about protecting a very sensitive and critical function that lots of bad guys are tying to exploit.

To say “I want to use any character, but protect me” is like saying “accept any form of ID but assure me that they are who they say they are”. I cannot get on a plane with my school ID for a reason: it is not as secure.

The bottom line is that a functional secure password can be created from 128 characters. There is no security reason to support more. To support all Unicode is a needless security vulnerability.

Answer 9

A few guide lines:

• Let user enter any character in the ASCII range of 32 (space) to 126 (~) - these should be the same in any character code.

• Limiting your users to less characters will only frustrate them and force them to choose less secure or harder for them to remember passwords.

• Characters bellow ASCII 32 (and ASCII 127 = Delete) have specially meaning e.g. ESC, Enter (submit form), Tab (jump field) and other characters that are not meant to be typed and therefore should not be accepted.

• Characters above ASCII 127 may not be typable on some keyboards or devices (may prevent login via phone or via other PCs while abroad) and require unicode storage (less of an issue, however, you need to be aware of it)

• Don't limit the length too much - e.g. let users enter 10s of characters e.g. up to 50 or to 100.

More details on passwords in my answer here.

Answer 10

What if it takes two weeks to get the password reset by a letter being sent to my home address and I can’t access my bank on holiday due to their being a character in my password that I can’t type on my iPhone.

Will I blame the bank, will I consider changing banks……

What if my back decides at some later stage they wish to use drop down lists to input a password rather than a text field….

What if the keyboard I am using today outputs a different character when I press £?

Given the risk in resetting passwords, are we just creating a different risk by allowing users to have password that are more likely to need resetting?

However if the password can be reset just by the website sending me an email, it should allow anything in the password.

Answer 11

Limiting allowed characters in passwords to a sane subset of printable characters is a good idea. More flexibility is not always better. That's why we have speed limits on roads. Frequently, usability is about protecting users from their natural aptitude for shooting themselves in the foot.

From a server-side security standpoint, there is no problem in supporting full unicode passwords. Even if you don't want to handle crazy characters on the server side, a little bit of javascript coding can easily preconvert all passwords to hexadecimal notation before they are sent and handled by the server. But, for the reasons given above, one should do this -and- also limit to a sane subset of printable characters.