0

Yes, using any restrictions on the letters that a user can put in his password weakens security. But on the other hand: have you ever tried the Euro sign (€) on a Thai keyboard? Or a German Umlaut (Ä) on an English keyboard?

For this reason I have been using the following regex restriction for my travelling customers for years now:

^[0-9a-zA-Z @.\-_+]+$ (so basically numbers, letters, blank and @ . - _ + are allowed).

Although there have never been complaints (and more importantly people were able to login no matter which keyboard layout) I want to extend this collection of letters.

Which letters are safe to use - no matter what kind of national keyboard a user has?

Eddie
  • 109
  • 1
  • 11
  • Btw. on my research I tried TripAdvisors password policy: they actually allow something like `@€~µพ123` (having a Thai letter in the middle) which will work almost nowhere without any tweaks. – Eddie Jun 24 '16 at 16:29

1 Answers1

1

I would go ahead and say all letters are safe. If they can type it on their home computer I don't see why restricting them to a national patterned keyboard would be a problem.

However, I would be more concerned with what can be typed on a cellphone keyboard. Holding down the keys generally gives you a lot of options to include international symbols.

Mobile devices are much more common than personal computers and this gap is only growing.

ghosting999
  • 101
  • 12
  • Does this help? Personal computing is becoming legacy the as technology expands. Unless you are writing a program for a business I would focus on mobile capabilities for passwords. – ghosting999 Jun 24 '16 at 17:06
  • Well, it does help insofar as you reminded me that I'm far behind with my project, that has been running 15 years now. But it doesn't solve my problem as I am currently transfering to a new Symfony based backend - while the "mobile unfriendly" frontend stays the same for at least the next 6 months. – Eddie Jun 24 '16 at 21:37