[techtalk] Characters to avoid in passwords

Magni Onsoien magnio at pvv.ntnu.no
Mon Mar 19 10:40:10 EST 2001

I was debugging some password problem the other day (dash first in
password at ftp-server -> ftp-server turns off continuation messages
that may confuse some ftp programs), and I came to think of if there
excists a list of characters to avoid _for technical_ (no security rules) 
reasons in passwords on different kinds of OS and services, i.e. 
characters that may cause trouble when used on a certain OS or to connect 
to a certain service.  An example is the "-" first in passwords (avoid it 
by prepending an extra - first when typing the ftp-password..), another 
is ":" in passwords at HP-UX 10.10 (I think it thinks the password ends just
before the : and thus just use the first part of the password for login
etc). I also think I have encontered problems with Windows NT, but I can't
exactly remember the situation. 

Another problem: if only the first 8 chars is used by the OS; but ALL chars 
(i.e. more than 8) are encrypted at the password-distribution server,
the user can't log in. But that is a bug in the password distribution
implementation rather than a technical problem..

So, if anyone knows a list of characters to avoid or have examples of
other characters that are KNOWN to cause problems on a certain OS or a
service, I'd be happy to know.

(I usually recommend users not to use any special chars but period and
comma, but that might be an overkill even though it's a very convenient
and uncomplicated rule of thumb. Since I want automatic generation of
passwords in this case, I won't have to bother the users with lists of 
legal and illegal chars anyway.)

Magni :)
sash is very good for you.

More information about the Techtalk mailing list