Recently went to create an account on
name withheld web-site.
During the process we needed to create an password.
Then we got an error message:
The ‘#’ character is not allowed for security purposes.
What is that? A joke? Restricting characters for security how?.
Most reasonable web-applications do not and should not care.
When a password is submitted, regardless of the exotic characters, it should be immediately hashed!
Then the hash is compared to the stored hash on file.
And hash sums (md5, sha1, etc) don’t have any "exotic" characters.
Seems that places that restrict these characters are likely not hashing the password – because why else would they care?
Note: – to confirm this we asked the site for help recovering our password.
Rather than send a reset form they sent an email with our password – proving they are not using the best practice of password hashing.