Curious about passwords and user names

Not that the answer to this question will do much more than make me go “ah” because I don’t do web stuff

Why do websites only allow for such limited characters when making user names and passwords? i.e. my user name can’t be Jym^&%$ same with password

limitations of the database field that they’re using probably… or they just don’t care to deal with escaping certain characters.

Because they were designed by poor programmers who don’t really care about security.

[quote=134442:@Jym Morton]Not that the answer to this question will do much more than make me go “ah” because I don’t do web stuff

Why do websites only allow for such limited characters when making user names and passwords? i.e. my user name can’t be Jym^&%$ same with password[/quote]

Because some of these characters can be used for injections and in order to prevent such attacks, the simplest way is simply to filter them out.

If you’re writing code to filter them out, you could just as well escape them. No, the main reason is because the programmer is using some built-in function of their toolkit or library and just settling for what they offer instead of finding a better method or rolling their own. This is also a warning sign, for if they can’t be bothered to ensure good security practices on the character set, you have to wonder what else they’ve skimped on, like encryption of the password.

I never said they where good or doing it right. Just that this is common practice for php and perl programs. Indeed one has to wonder what kind of shortcuts they take behind the curtain :wink:

In Xojo, I tend to believe all characters should be used, since there are less vulnerabilities than in these languages.

If I had to guess it probably has something to do with various keyboards especially in different countries. It might be easy to type $ for us, but £ or € is more work. Macs allow these with the option and option shift keys pressed while windows users need to know the unicode representation to generate these. Imagine being at a different keyboard or in a different country and having to hunt down all the characters to login cause you cant figure out how to get the keyboard to generate these characters.

Pending on what you are doing with the characters…escaping them may not be what’s needed. Dealing with things like our active directory authentication service requires that the non “web-safe” characters be URL encoded. Perhaps that’s what you meant anyway. When I think of “escaping characters” if think of the typical shell “” escape character.

Windows has the AltGraph key (right alt) that generates all sorts of alternate characters, just like Option on a Mac, and extra luxury, most PC keyboards are engraved with these.

That said, I have traveled enough to experience quite a few different keyboards, and sometimes even the simple ABC can be a challenge :wink:

You are right. “Escape” has a specific connotation to the Linux and Mac path. At any rate, even through Base64 or prepared statement, it is not so difficult to let the user employ whatever characters he wants and record them in a database.

I went on holiday to Portugal: the keyboard layout was so obscure, they had to put printed instructions on the wall of the hotel about how to enter the ‘@’ symbol!!