Funny how a question about username rules has more comments on passwords. So let me first say I dislike sites not allowing spaces in user names, why should a username only be one single word? What is so unusual about having a space or even some spaces in the username, eg using your real name? For example look at the user names of us.
In regard of passwords, what I hate about many sites is only allowing a small set of characters usable in passwords. Then you can't for example use password generators, that easily put a 200 character long password into the clipboard or even into the html form for you to set and later use without knowing it yourself.
On the other hand I like some advices about remembering a sentence and only using first letters of words, some punctuation and word lengths for digits. It's your decision to use whatever is on your keyboard and goes through. As tore points out what should be stored is a hash of the password anyway, a binary thing, not at all needing any capability to store some charset. The hash can even be shorter than what you're allowed to enter as password and that doesn't render longer passwords as unneccessarily oversized, the longer a password is, the more likely it leads to less frequent hashes than well known weak passwords do, so it highers the security of your stored hash even if a site does not salt your password or doesn't use other well known best practices. A password length limitation I would consider sensible is perhaps 1K size, that already makes each login submit a longer request than usual, but if a site only allows 10 char passwords it's quite likely the store it in a char(10) field, that's a bad idea.
As long as the same entered password goes over to the script hashing it for comparison with the stored hash results in the same hash for the same entered password everything is fine and there is no reason to restrict the password characters just because of the risc of mistyping it. On the other hand, for handing out password reset passwords to a user, you can limit yourself on a subset of characters, easier to retype. Especially if it doesn't come to you as text you can copy&paste but comes as SMS on a legacy phone with no internet connection, or is read to you via phone, so you really need to be able to type it in easily. You'll not allow this reset password to persist anyway, the first action a user should take after logging in with such a password reset password is change it to his own new password.
Again, more rules about passwords than username.
Some systems I support use a short user name, more like name initials. Some desktops systems simply use the windows account name and that is lastname+usually one letter of firstname, more to prevent double names. Of course an email address is fine because its known to be unique property (in the sense of ownership too) of the user, but it makes less sens in a system for a company, where everybodys mail adress ends in @company.com or similar.
Bye, Olaf.
PS: Mike raises a topic by saying you shouldn't make a user name case sensitive. Besides this also similar looking chars allow other users to mimic a user name and still be a separate user. This can be used to profit from a good reputation in eg bid systems like eBay. But it's a hard rule to disallow similiar looking names. Would you really disallow l because it looks similar to I or 0 as it looks like O? This is rather a problem of display of names than it is a problem to distinguish them internally, as you do so by a numeric USer ID or a GUID, like every datas PK. It's also rather a rule for procduct keys which are typed in from reading of a box or label than rules about user names.
![[cheers]](/data/assets/smilies/cheers.gif "[cheers] [cheers]")
![[mad]](/data/assets/smilies/mad.gif "[mad] [mad]")
