UseBB Community

I'm just curious why you did that?

For security reasons it's a lot better to allow characters like &, @, #, etc in the password. Then it takes more combinations too crack the hash.

I like to allow any characters, as they won't be any sort of security risk once I hash them.

Imagine the following:

- A board has two languages available: English and Russian. The English translation uses the default ISO-8559-1 charset. The Russian one uses a windows-* charset to enable the use of Russian.
- A user sets his password using the English language pack, i.e. when iso-8859-7 is active, and he uses Russian characters in his password. Under these circumstances, because the encodings differ, the browser sends the Russian characters as entities, and the system saves them as entities.
- The user tries to log in, the default charset is set to Russian, thus with a windows-* charset. The browser will now not send the Russian characters as entities but as real Russian characters, because the encoding is the same.
- The user will not be able to login (wrong password).

This situation was possible until UseBB 0.4 or so, until then using non-alphanumeric characters for login information was allowed.

Of course we could first transform the entities, but this is practically impossible for the number of encodings that exist. Also we could use UTF-8, but UseBB does not yet support this, and neither this is easy to do with the database as far as I know.

Of course we could allow #, @, &, etc... But I doubt if this makes any difference to security. Alphanumerical passwords (case sensitive) already offer a very wide range of possibilities. With the minimum required characters of 8, there can be 218340105584896 possibilities, which is more than enough.