

Why would you not permit Q or Z in passwords? - lachgr
http://security.stackexchange.com/questions/57909/why-would-you-not-permit-q-or-z-in-passwords

======
ajuc
For Poland I would consider forbidding Y, y, Z and z in passwords.

Windows by default installs 2 keyboard layouts - Polish programmers layout and
Polish "touchtyper" layout, which has z and y switched (and which nobody ever
used on purpose).

The shortcut to change the layout is Ctrl + shift and many people don't know
it, but they can randomly hit Ctrl+SHIFT (it doesn't help that when you want
to select a whole word of text it's ctrl+shift+right), and then their password
suddenly doesn't work.

Happened to me, my friends, family, people that work often with computers know
to check that, but casual users doesn't. I think it costed millions of PLN in
support calls and wasted time already.

~~~
mhaymo
Rather than forbidding those characters, you can go the facebook route and
store multiple hashes for common typos. So if a user of your Polish website
uses the password "huntyr2", you store that hash and also the hash of
"huntzr2", and allow access using either of those passwords.

~~~
ajuc
My server would explode if someone have choosen password like
"zzzzzzzzzzzzzzzzzzzzzzz" :)

Now that I think about that - I wonder how facebook deals with it?

I guess only check "zzzzzzzz" and "yyyyyyyy", not all possible variations.

------
shalmanese
dupe of
[https://news.ycombinator.com/item?id=7741610](https://news.ycombinator.com/item?id=7741610)

~~~
Zhian
Which is a dupe of:
[https://news.ycombinator.com/item?id=7741443](https://news.ycombinator.com/item?id=7741443)

