Jump to content

What characters are allowed for usernames and passwords?

Go to solution Solved by Eigenvektor,

Ideally, for a password, any character should be allowed. The password itself should then be stored as a salted hash, never as clear text.

 

The more restrictions you place on password characters, the less secure the password becomes, because someone trying to brute force the password has less characters to go through.

 

For the username, it really depends on what you're doing with it. Unless a character causes issues for some reason (e.g. part of a URL) then there is absolutely no reason to blacklist any characters as well.

What characters are allowed for usernames and passwords? I'm trying to figure out how to sanitize user input when registering an account to a website in javascript, or is there a js framework out there that will do this automatically?

 

let illegal = "`\:{}?<>,."

 

My idea is to count illegal characters like those on the list above, and not allow the user to register unless those are replaced. I planned to only allow alpha numeric characters but realized there are other languages like Japanese with a different set of characters so that's a no go, there would be way too many characters to monitor.

Link to comment
Share on other sites

Link to post
Share on other sites

Ideally, for a password, any character should be allowed. The password itself should then be stored as a salted hash, never as clear text.

 

The more restrictions you place on password characters, the less secure the password becomes, because someone trying to brute force the password has less characters to go through.

 

For the username, it really depends on what you're doing with it. Unless a character causes issues for some reason (e.g. part of a URL) then there is absolutely no reason to blacklist any characters as well.

Remember to either quote or @mention others, so they are notified of your reply

Link to comment
Share on other sites

Link to post
Share on other sites

12 minutes ago, ARTHURX64WB said:

My idea is to count illegal characters like those on the list above, and not allow the user to register unless those are replaced.

What is your reasoning for this? why ban certain characters?

🌲🌲🌲

 

 

 

◒ ◒ 

Link to comment
Share on other sites

Link to post
Share on other sites

22 minutes ago, Arika S said:

What is your reasoning for this? why ban certain characters?

To prevent cross-site attacks or SQL injections? Well there are those functions in PHP that cleans input but I thought just doing additional sanitation just to be sure. I'm really concerned about the first names, names, and usernames as those are the ones that might need banning some characters. Nobody spells their legal names like crazy, unless we count Elon Musk's child, I guess.

Link to comment
Share on other sites

Link to post
Share on other sites

34 minutes ago, James Evens said:

Never reuse the salt. Every password get's it's own salt.

I do unique salting and hashing. It's quite fun.

Link to comment
Share on other sites

Link to post
Share on other sites

43 minutes ago, ARTHURX64WB said:

To prevent cross-site attacks or SQL injections? Well there are those functions in PHP that cleans input but I thought just doing additional sanitation just to be sure.

Sure, do escape user input before using it as part of a query. But unless you have reasonable doubt that PHP's fuctions are working as advertised, there should be no reason to perform additional cleanup.

 

I see no reason to ban certain characters unless you're working with a legacy system that e.g. can't handle UTF-8. One legit reason to add your own filtering might be to ensure no expletives are used.

 

As you said, one of Elon Musk's children has special characters in their name. Why should they be unable to register as a user with their given name?

Remember to either quote or @mention others, so they are notified of your reply

Link to comment
Share on other sites

Link to post
Share on other sites

3 hours ago, Eigenvektor said:

Sure, do escape user input before using it as part of a query. But unless you have reasonable doubt that PHP's fuctions are working as advertised, there should be no reason to perform additional cleanup.

 

I see no reason to ban certain characters unless you're working with a legacy system that e.g. can't handle UTF-8. One legit reason to add your own filtering might be to ensure no expletives are used.

 

As you said, one of Elon Musk's children has special characters in their name. Why should they be unable to register as a user with their given name?

It's a non-issue anyway, since the SQL query will only receive the salted hash, and as such the input will have to be encoded (hex, base64, etc.) anyway, and therefore not receive invalid characters.

 

User names however are a different story altogether.

Link to comment
Share on other sites

Link to post
Share on other sites

Ideally, you should allow any character but that requires you to be careful about using UTF-8 aware functions to split strings, search in strings and so on.

 

I'd basically limit all fields to something reasonable like 200-250 characters. (depending on collation you choose for mysql tables you may want to lower it if you want full text search / indexes on it  - see https://serversforhackers.com/c/mysql-utf8-and-indexing)

For usernames, you'd want to normalize the submitted username (and other text inputs from users if deemed necessary) ... see the answers at https://stackoverflow.com/questions/7931204/what-is-normalized-utf-8-all-about

 

Basically, some characters can be written using different series of bytes... you want to decide on a normalized form to make sure a username that's visually similar doesn't already exist in the database ... quoting from the link above :

Quote

for example a letter with an accent (say, é) can be represented in two ways - a single code point U+00E9 or the plain letter followed by a combining accent mark U+0065 U+0301. Ordinary normalization will choose one of these to always represent it (the single code point for NFC, the combining form for NFD).

 

It's also important to prevent hackers and scammers into making accounts with visually similar names and then make fake pages or scam them or whatever.

 

For passwords, if you send temporary passwords or something like this, it would probably best to stick to a-z A-Z 0-9 !@#$%&*()[]  but I'd go further and make sure there's no 0 and O  or 1 and I , or lowercase L  and i  in the password, basically keep remove letters that could be confused for numbers.

 

You shouldn't care what user inputs as password, you never store the raw password text anywhere.  At the very least, generate a random salt for the account (a few random bytes) and then create a hash (md5/sha256/whatever) of that salt plus the password entered at registration ... if user wants a password reset, you also change that salt to something else.

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

On 6/12/2021 at 7:27 AM, ARTHURX64WB said:

I'm trying to figure out how to sanitize user input when registering an account to a website in javascript, or is there a js framework out there that will do this automatically?

Don't trust the client, any kind of input validation must be enforced server-side.

ಠ_ಠ

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×