Without thinking about it at all I just want to say I should allow every character. It gets hashed in any case, and I don’t want to limit people who want to create strong passwords.
However, thinking about it more, there are plenty of characters that I have no idea what effect they’d have on things. Foreign characters, ascii symbols, etc. to name a couple.
I tried to Google but I can’t find any definitive standard for what people do. Even most professional organizations don’t seem to know. It seems to be a common practice for many sites to disallow special characters altogether, which is just silly and not what I want to do.
Anyway, are there any standard recommendations for length, allowed characters, and so forth?
I’m not sure if it matters, but I’ll be using ASP.NET w/ C#
Any printable, non-whitespace ASCII character (between 33 and 126 inclusive) are typically allowed in passwords. Many security professionals (and SO commenters) are advising the use of a passphrase in place of a password, so you’d have to allow spaces. The argument is that due to their length, and since phrases aren’t in a dictionary, passphrases are more difficult to crack than passwords. (A passphrase can also be easier to remember, so a legitimate user doesn’t have to keep it written down on a sticky-note right on their monitor.)
Some strong password generators use a hash, so I’d put a very high limit on the length (512 or 1024) just to be inclusive. Password generators today often yield strings of 32-128 characters, but who knows what hashes will be used in the next few years.