There’s no technical reason for any character at all to be disallowed in passwords.
Whitespace and other special characters such as the newline, backspace and carriage return characters might be disallowed for practical reasons with the interface.
But beyond that, it’s usually because the application is handling the password in an insecure manner. The contents of the password should be completely irrelevant to the operation of the application, because the application should be handling the password in a SecureString which is encrypted.
If the password contents are enumerated to act upon logic and alter the application behavior, then the password must have been saved somewhere insecurely for that evaluation to have occured.
And yet, look at how many websites restrict your password to a few special characters or even explicitly disallow some. It always concerns me when I see that because I know what’s probably happening behind the scenes.
Latest Answers