I was just wondering why certain website don’t allow anything other than letter and numbers in the password field.
Is there a security reason or perhaps it’s just a limitation of the DB they are using? Thanks for the info.
Edit: It appears that Oracle’s database doesn’t acknowledge uppercase and lowercase? Is this true? I was told that via PM. Thanks for the information guys, this is really useful stuff.
I wonder why this question has 3 votes to close though. Not enough jQuery and freehand circles?
No reason at all, except for sloppy DB coding where they would allow plain text in the DB or use the (non-portable) DB functions to hash the password and use direct SQL statement.
This seems just like plain string validation.
Other than that, on the practical side, special character placement in foreign or cramped keyboard is tricky and might be more frustrating for users that are traveling (or in the more modern case alternative input like onscreen keyboard on smartphone).
Some websites might even push the system further by providing their own on-screen keyboard to log in (with various scrambling).
Disallowing special characters helps QA, and reduces multi-platform user frustration.
And finally, allowing a limited (deemed safe) character set (that is not only punctuation but also more language specific characters in Unicode), developer can also avoid encoding confusion between the browser and the server application (form data encoding is not very clear in the standard, and can be tricky on some browsers).