Why shouldn't you use spaces, <, >, /, &, or # in your passwords?

I was filling out the registration form for TechSoup which sort of acts as a database for confirmed/trusted non-profit organizations, which Google has a partnership with for their non-profit alternative to G-Suite.

However, when I went to fill out the password form I realized that I had met all but one of the criteria, which reads, "Doesn't include spaces, <, >, /, & or #". This baffles me considering I grew up around services that basically shoved proper and safe password procedures, and as far as I understood any of those characters just make it even harder for anyone who attempts to perform a brute-force attack.

I will attach a snippet I grabbed, though you will realize it shows I met all criteria because I used a different password before grabbing the snippet.

Attachment image

7 Answers

Relevance
  • 3 weeks ago

    These are reserved characters in HTML, that often go into representing objects or particular symbols. For example, <input type="text"></input> would create a text box.

    (I'm hoping yahoo answers isn't going to botch that one)

    But essentially they're trying to proof it so that your password doesn't break the format of your page.

    This is pretty lazy, though. Most modern sites would be able to handle these kinds of characters.

  • Chris
    Lv 7
    3 weeks ago

    If you want a safe password, just make it 12 or 16 characters long. It's not necessary to include special characters to make it safe.

    Uppercase, lowercase and numbers gives you 62 different characters, adding 5 more to have 67 doesn't dramatically increase the time required to brute-force it.

    Some maths, if you're interested:

    For 8 characters, without special ones, it's 62^8 or 218340105584896 combinations.

    If you include them, it's 406067677556641, so roughly double that amount.

    Of course the factor increases the longer your password is, but adding a single character increases the number of combinations by a factor of *62*.

    Also, the idea that code can't handle these characters is utter nonsense. Yes, if you skip URL encoding and use a query string where a value has a & in your post body, the request parameters get messed up. But that is a trivial beginner's mistake not even worth mentioning in the context of password security.

    Finally, not allowing these characters will greatly increase the chances of people being able to enter the password properly on the first try, since they don't have to type weird characters on a keyboard that might be set to a different layout, or switch their smartphone keyboard to the special characters pane. It would actually be really interesting to find out how many man hours wasted with "my password doesn't work" BS are saved because of that rule.

  • Snezzy
    Lv 7
    3 weeks ago

    Use this one: CorrectHorseBatteryStaple. Unless, of course, Randall Munroe was using it first.

  • keerok
    Lv 7
    3 weeks ago

    What happens when you get to know the reason. Will the rules change?

    Those symbols are used in programming. The lines of code that will process your password will get confused if you used those symbols. Yes, there are ways to circumvent that and allow literally anything you type but that may introduce more problems which will actually make security more lax. 

  • How do you think about the answers? You can sign in to vote the answer.
  • 3 weeks ago

    Those symbols have special meanings in Windows and most other OS.  Including them in a password could cause the program or website to misunderstand the the password. think it is a command and try to run it, and thus lock you out of your account.

    The "/" symbol, for example indicates the end of a command and that whatever is beyond the "/" is not part of the command so it will not read it.  If you make the password "pass/word" the program or web site could read it as the password "pass" followed by a parameter "word".  the password would not work.

    When you are accessing a web site, often your password can be saved in a cookie and then automatically added to the log in information when you click on the log in link.  If it has a "/" in it, the web site can not properly interpret it and you will will not be able to log in.  

    Some sites will do extra programming to get around this issue.  Some will not.  So you have to follow the rules of the site you are wanting to log in to.

  • P
    Lv 7
    3 weeks ago

    Basically some characters are not friendly to save to databases and instead of coding in the ability to save them they just restrict people from using them. It also could be considered a security risk to include them since if not coded correctly hackers can exploit certain vulnerabilities in the program by using certain characters.  When you restrict them you eliminate that possibility and save the programmer some time.  Yes it technically reduces the complexity of possible passwords but considering all the other characters you can use the sacrifice is minimal. 

    Security experts have changed their recommendations of the complexity of your password to be not the biggest factor in determining security.  Using different passwords for EVERY website and enabling 2 factor security are by far the only fool proof ways of securing yourself online.  

  • Anonymous
    3 weeks ago

    Most likely, those characters break whatever parser they use to try to verify that you've followed their other rules.

    "and as far as I understood any of those characters just make it even harder for anyone who attempts to perform a brute-force attack."

    Not really.

    https://xkcd.com/936/

Still have questions? Get your answers by asking now.