An anonymous reader writes "I recently had to reset a password used to access an investment account. The instructions stated:
"Do not use symbols, punctuation marks, or spaces (e.g.,#,@,/,*,-.)"
Are there any valid technical reasons for this? If I were to build such a web authentication system, I would have the application server convert the %XX characters from the POST string, salt and hash the value, convert it to a format applicable to the application/storage (i.e. unsigned int, HEX64, etc), then compare it to what I had stored in some flat file or database (depending on the application). Since the format of the password would be immediately converted to a different format, character limitations wouldn't be necessary. At most I would limit the size of acceptable password to save CPU cycles on computing hashes on long inputs. I can see limitations on usernames because it is likely this information is stored in a SQL queried DBMS. Limiting characters would protect the database from SQL injection.
I have worn several different IT hats, web developer is one of the few I haven't worn. I am hoping some web developers here might be able to shine some light on this. Is my general idea of how to go about building an authentication system solid? Am I missing some storage or performance/session related issue?"