Is there any legitimate technical reason that some web sites forbid special characters in passwords?

Yes, in many programming languages, certain special characters have a meaning within the program. They trigger some action, which is not what you want from a password string. If you are dealing with such a situation, you can program a routine to parse the string and escape any special characters that might cause trouble, but it’s easier and more efficient on the server side to just ban them.

%&8($#@——
shhh This acceses the Fluther Administrator Pages

Just a sign of lazy programmers. It can be worked around if they wanted to.

@StellarAirman Not always. It depends on which framework they are dealing with. Certain environments allow a clever programmer to hack their way around that restriction, but some don’t. And when you consider that many programmers work with the tools that the bean-counters told management was best as opposed to what technically is best, you really can’t blame the programmers, at least not all of the time.

The reason is always that the website implements bad security practices. Any good, sensible website encrypts the passwords before they enter the database (with e.g. MD5 or sha1), and after that there should be no special characters in the way, and especially not as a residue of what the user entered.

When a site restricts the use of certain characters, be wary, and don’t use passwords you use in other places.

@Vincentt: I assume you intend to say that the websites should make a hash of the password and then store that hash instead of the password itself. This is different from encryption. With encryption the original password could still be retrieved.

@StellarAirman @jerv @ETpro: It often doesn’t have to do with the development tools, risk of developer error, or programmer laziness! The #1 real reason not to allow these characters is support costs. In many institutions “forgot-password” support costs are high and can be reduced by not allowing special characters. Somewhere there is a guy in a room right now on the other end of a support line telling someone how to type € on his US-Keyboard so that he can get into his corporate e-mail while visiting New York. The company paying two people’s salaries for this 15 minute call wishes they didn’t allow the special character.

@malevolentbutticklish I know you’ve got a good point there.

@malevolentbutticklish I was under the impression that many development tools were designed to implement things that way so as to keep that problem from cropping up in the first place. Some allow you to circumvent that safeguard, but default behavior is to prohibit actions like that one that may come back to bite you in the ass.
While many programmers and other skilled people may have no issues memorizing the ASCII chart, the average person may try to get a little tricky by using special characters and then wind up outsmarting themselves leading to a call to tech support. Thus, the simplest solution is prevention, therefore no special characters.
Same outcome, slightly different train of thought.

@malevolentbutticklish Yes, you are right, of course.

When it comes to your other point, however, I don’t really consider that a good point to save costs on – just make the users use a weak password so it’s less likely he’ll forget it. In a lot of cases (i.e. most websites) a “password reset” link should be enough, as people won’t really call that quickly.

@Vincentt: Many companies force a call to reset a password because many people leave their e-mail client open all day (even while at lunch, in the bathroom, and at meetings). Passwords without these characters are not weak! Weak passwords are predictable such as p@ssw0rd (which is based on a dictionary word with simple character substitution). Strong passwords are not predictable such as wMNTrMEpteHiMiYAwbGFyE0ZRAE (which contains no special characters but does contain a lot of entropy).

@malevolentbutticklish I know, but as this question was about websites in general, the majority of those do not require a call.

The unpredictable example you gave can still easily be bruteforced, so it’d be wise for a company to add a timeout (and even that doesn’t guarantee it can’t be bruteforced). Predictability is not the only factor in security.

@Vincentt: “The unpredictable example you gave can still easily be bruteforced” <== no it can’t. The password I provided has 168 bits of entropy. A brute force attack that could process 1,000,000,000 passwords per second would take 10^41 seconds. The universe is only 432,329,886,000,000,000 seconds old.

If you say so, I’m not well-versed in this enough to counter that, but I suppose that’s more because of the length, with the use of only upper- and lowercase characters pretty much irrelevant to that (except for that using more special characters would make the alphabet a bruteforcer would have to try even larger)?

@Vincentt: Even the most basic set of a-zA-Z0–9 gives an alphabet of 62 characters. This is only 13.9% smaller than the alphabet with 10 special characters.

~2.48e+48 permutations is enough to stymie current computing technology, but it is an arms race. Enigma was nearly uncrackable at one time yet can now be brute-forced in seconds by an iPhone.

@jerv: Even if computing power doubled every year for the rest of our lives it would still take longer than the age of the universe to brute-force a 168-bit password the year of our death. If there is a leap in computing power greater than the equivalent of a lifetime of yearly doublings things will change so radically the data you are protecting probably won’t matter.

@malevolentbutticklish True, but my point is merely that we can’t predict how powerful computers really will grow to be by the time you and/or I are wormfood.

Read some old predictions and see if you can figure out how I really feel about the issue.

@jerv: Of course long term predictions are difficult but please consider how game changing such a powerful computer would be.

@malevolentbutticklish When I was a kid, there were no cell phones and no World Wide Web.
Those two things alone changed the game considerably.
I’m not terribly old, so the game could easily change that dramatically again before I die.
It might not, but it’s damn well possible!

agreed