Is there something special about characters that should be allowed/not allowed in a password?
I store the password in the db hashed/salted and use PDO to prevent against injection. Is what I’m doing enough? Recently I came across a system that disallowed a number of characters, don’t remember all of them, but one was the ampersand &. Were they doing it for anti-database injection reasons, or is there something else I’m missing? Should password characters be restricted to a certain set of characters or no need?
There is no technical reason to disallow any characters in a password. I guess in the case you describe, they would allow only alpha-numeric characters to avoid problems on the user’s side (say, by entering a character that isn’t available on keyboards in another country).
Many providers and sites force users to choose very complex passwords containing a minimum number numbers and, sometimes, evenb special characters to prevent brute-forcing or dictionary attacks.
I don’t think forcing people to choose a complex password is wise. Passwords you can’t remember, you will write down somewhere, which is often creating a much bigger security risk in real life.
A simple rate limit in the login system (e.g. deny access for 15 minutes after 3 failed login attempts) takes the edge off the brute-forcing threat much more elegantly.
One doesn’t have to agree 100% with it, but I found this provocative paper on the subject from Microsoft Research very interesting. So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users
From the abstract: