[techtalk] Characters to avoid in passwords

Mary Gardiner mary at puzzling.org
Mon Mar 19 21:47:40 EST 2001

On Mon, Mar 19, 2001 at 09:40:10AM +0100, Magni Onsoien wrote:
> to a certain service.  An example is the "-" first in passwords (avoid it 
> by prepending an extra - first when typing the ftp-password..), another 
> is ":" in passwords at HP-UX 10.10 (I think it thinks the password ends just
> before the : and thus just use the first part of the password for login
> etc). I also think I have encontered problems with Windows NT, but I can't
> exactly remember the situation. 

The /etc/passwd file uses : to separate the data fields. Although it
should be one way hashed and not come out the other end as a : this
could be confusing...
> (I usually recommend users not to use any special chars but period and
> comma, but that might be an overkill even though it's a very convenient
> and uncomplicated rule of thumb. Since I want automatic generation of
> passwords in this case, I won't have to bother the users with lists of 
> legal and illegal chars anyway.)

I think that's the standard rule - a password should be basically like
an email address, upper case and lower case letters, and numbers.
Probably the best way to pick up this kind of stuff is to use a version
of passwd that will actually check the entered password for illegal
chars ('Sorry, passwords can only contain upper case and lower case
letters, and numbers. Passwords may only be 8 letters long. Please try
again.') Some of them are little password-nazis ('Sorry that's too
short... is a reverse word... should contain at least one digit').


Mary Gardiner
<mary at puzzling.org>
GPG Key ID: 77625870

More information about the Techtalk mailing list