What characters would you make invalid for a password?

Question

A hypothetical situation: you've implemented a password handling system, and it doesn't impose any limitations at all on what characters can be used. You want to set up some rules that are a reasonable compromise between two things -

1. Allow the user as much freedom as possible.
2. Allow for the possibility that you may change how you handle passwords in the future - you don't want to rule out reasonable implementations because your users' existing passwords would become invalid.

What rules would you impose? Are there other factors that might affect you choice?

Answer 1

Best is no restrictions whatsoever, unless you can really justify them.

If you are a bank, email provider, or if the user can order something without supplying a credit card, then forcing users to use a strong password makes sense. Otherwise, you're just making it hard for no reason.

As to what you should store, I'd say 1024 characters of unicode with control characters prohibited is about all that's justified. If the user can't type it, they should have picked a different password. All you're storing is a hash, so you can always cut it down to whatever size you want.