K
@RayS said:...the system in question is also available through some other method where inputting certain characters is impossible/impractical (such as mobile devices) or else has to integrate with some legacy system.I've developed one where the former applied, and work with another where the latter does.If you're in some wonderful enterprisey state of several different systems interacting, where the choice is between dropping support for a few characters or else have the user remember and enter several passwords, I don't blame people who chose the easier solution.True.But the few instances in my recollection made me go 'WTF' precisely because I couldn't think of a good reason why they were like that. They were new systems that were certainly targetting desktop users (public-facing websites with no mobile equivalents... and on what portable/mobile browser can you not enter a period as easily as characters?). And these systems didn't have multiple faces. By that I mean there wasn't any way for end users to log into any underlying legacy or otherwise incompatible system, if that were the motivation. What should be done, in such cases, is have the user's master password act as a key from which are derived legacy-compatible passwords that no user ever enters, but is stored, emitted, and updated by the system transparently. This can help smooth over password change requirements as well (if an underlying password needs to change more frequently, it can be done by the system automagically).