PHP login password question

Theoretically, there is no restriction that you need to have. But from programming ease point of view, I know that ' should not not allowed (mysql injection, etc but if code is written properly, it should not be a problem).

Depends on how much security you need. I say upper and lower case letters, numbers, and the majority of symbols (all the top-row symbols, plus question mark, comma, period and maybe a few others).

You should be as unrestrictive as possible. Let people use what characters they want.

Any character they like, and any length they like (except maybe not over your PHP Post limit). In a good password system, you only store the hash, and when logging in, you only send the hash as well. So it shouldn't matter.

And even if you store the password, you should escape any string you put in the database (mysql_real_escape_string), so any character could and should be allowed. If you store the actual password, you could limit the length to the field size, which I think should be at least 200 chars in that case.

I think you should deside what character set you are using, and limit it only to that. So if you are not using UTF8 but e.g. ISO-8859-1, you don't want them writing multi-byte characters.

Anything available on a standard en-US keybaord is fine.

You can allow any characters to be inserted in the password. Please ensure that you validate the input to prevent MySQL Injection - if encryption is not used. It's advisable to encrypt the passwords by using at least MD5() or SHA1().

I think the should be allowed to enter every letter they want. But you should enforce a proper length for the password to make it more secure. Also I would advise you to use federated login if you could:

• openid: lightopenid is a really easy library.
• facebook connect
• twitter single sign-in

These alternatives are going to be way securer.