A hypothetical situation: you've implemented a password handling system, and it doesn't impose any limitations at all on what characters can be used. You want to set up some rules that are a reasonable compromise between two things -

1. Allow the user as much freedom as possible.
2. Allow for the possibility that you may change how you handle passwords in the future - you don't want to rule out reasonable implementations because your users' existing passwords would become invalid.

What rules would you impose? Are there other factors that might affect you choice?

Best is no restrictions whatsoever, unless you can really justify them.

If you are a bank, email provider, or if the user can order something without supplying a credit card, then forcing users to use a strong password makes sense. Otherwise, you're just making it hard for no reason.

As to what you should store, I'd say 1024 characters of unicode with control characters prohibited is about all that's justified. If the user can't type it, they should have picked a different password. All you're storing is a hash, so you can always cut it down to whatever size you want.

Do not impose no restrictions whatsoever, ever. And it seems to me that you're planning on storing password, not hash. Do not do that either. Rather, store salt and hashed combination of password and said salt.

However, you can require your users to have a reasonably strong password by imposing restriction on length (say, not less than 6 characters) and on characters which comprise the password (say, it should contain lower- and uppercase alphabetic characters, one or two digits and several non-alphabetic characters such as ^ or #).

Best is no restrictions whatsoever, unless you can really justify them.

If you are a bank, email provider, or if the user can order something without supplying a credit card, then forcing users to use a strong password makes sense. Otherwise, you're just making it hard for no reason.

As to what you should store, I'd say 1024 characters of unicode with control characters prohibited is about all that's justified. If the user can't type it, they should have picked a different password. All you're storing is a hash, so you can always cut it down to whatever size you want.

No limit on the password. If they can type it from their keyboard, regardless of what regional keyboard they use. You may want to impose a minimum length, options like at least one number and one special character, but no max limit.

Regarding your second question. The way I would implement it is via making seperate fields as you improve password strength. For example, right now you would have two fields that relate to the password: salt, password_md5. Lets say later on you want to use sha256. Create a new field called password_sha256. When the user logs in you first check password_sha256. If that field is empty then check password_md5. If that matches you now have the plain text password the user entered. You can then generate the sha256 password (I'd also reset the salt for good measure) and store the new value. I would then blank out the value in password_md5 so no one could reverse that to get the password.

Personally I'd just go with the best hash your language can do and use that. The important things are enforcing a good minimum password policy--it doesn't matter how secure the hash is when the password is "1234"--and to seed the hash with some random character to avoid dictionary attacks.

Any non-control character should be fine. I should think that the developers of super-duper password systems in the future would allow "unusual" ASCII characters like punctuation and other marks, but control characters have a habit of being unwieldy to enter in text mode shells and even GUI dialogs that expect Tab and Enter/Return to be free for their own purposes.

A blank space (based on the logic it may be trimmed accidentally before being hashed)

In our organization, if the user is supplying the password we allow them to use anything they want.

When users are first enrolled in the system a password is generated for them. Since this password is usually mailed to them, we avoid using certain characters that could be confused particularly when using certain fonts. For example, the letter O and the number 0 (zero) are not used. The same for L, I and 1 (one), S and 5, Z and 2 and others.

Before we made this change we had a lot of calls to our help desk because the characters were confusing and they couldn't log in.

Personally I have always been keen on not enforcing too many rules.

This has just changed. I have just found my website is vulnerable to XSS attacks. The solution is to sanitise every piece of input that comes from the user, including the password.

For 10 years we have had no limits on the password. Now we are implementing a limit to the characters that can be used, and this is simply to block hackers from being able to access Javascript or SQL. So we constructed the following list:

Valid characters for a password are: a-z A-Z 0-9 . - _ $ * ( ) # @ ! % / (blank)

This allows lots of flexibility but avoids characters that might be used in coding an XSS hack, such as ; < > \ { } [ ] + = ? & , : ' " `

HTH

I'd keep anything you can make with one key (and optionally shift) on your keyboard, except tab. What kind of schemes would necessitate a more restrictive option?

Have the users type passwords that contain at least a number and a non-alphanumeric character, and be more than six characters long. Anyway, I think that whatever the limitations, in the event that you change the way you validate passwords, you should notify users in reasonable time to update theirs.

My policy dictates:

[^A-Za-z0-9-]

May sound harsh but the truth is:

“[R]equiring that type of comically frustrating password complexity is now known to be a terrible idea, and has actually contributed to the problems we have now with cyber breaches. Here’s what Bill Burr, the guy from NIST who wrote the old guide to password standards now says: ‘Much of what I did I now regret. In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.’”

Length and uniqueness are much more important that the presence of funny characters, moreover, note that passwords are usually stolen from the user (phished, logged, tapped), not guessed. “At least 6 characters and not any of the comically common passwords like qwerty, sesame or password” suffices for all usages I’m in care of (non-financial of course).

Personally, I use DigitalPersona's Fingerprint Keyboard (yes, Microsoft does [or did] make a similar device, both integrated with or separate from the keyboard).

This allows the generation of extremely long and complicated passwords that don't have to be written down (as the press of your finger on the reader supplies the password to the Logon dialog [system/application/website]).

This, in my opinion, provides the best of both worlds: Extremely difficult to "guess" passwords, without having to remember them. It also makes simple the additional security recommendation of using different passwords on different systems.

Well, that's my two-cents' worth.

Some rules to follow:

1. Avoid Control Characters. It's not as prevalent today, but control characters all have special meanings and some hardware intercepts control characters to perform special functions. Some will cause data issues Example Control 0 (Zero) would generate a null.
2. Are you going to impose security restrictions? This is a user interface question as well as a security issue. What is your application and it's need for security. Many of the examples previously given are out of date. Hash tables for combinations of passwords are published for up to 15 character passwords and 16 character passwords can be brute forced withing minutes if the password is otherwise weak or follows typical human behavior. Starts with a capital, ends with number or special character.
3. I'd avoid common wildcard characters, quotes, colon, semi-colon, etc... that are commonly used in OS or DB languages.
4. Multi-factor authentication is a good way to go. Don't depend upon the password only or don't accept passwords at all.