The check for illegal characters is too broad:

  if (preg_match('/[\x{80}-\x{A0}'.          // Non-printable ISO-8859-1 + NBSP
                   '\x{2000}-\x{200F}'.      // Various space characters
                   '\x{2028}-\x{202F}'.      // Bidirectional text overrides
                   '\x{205F}-\x{206F}'.      // Various text hinting characters
                   '\x{FEFF}'.               // Byte order mark
                   '\x{FFF9}-\x{FFFD}]/u',   // Replacement characters

While in could be a good idea to exclude invisible control characters, it is too common to use "accented" latin characters in passwords.

Consider reducing the check to allow for Latin punctuations, Soft-hyphen, Full-width latin.

Comments

tunic’s picture

tunic
he/him
Primary language Spanish
Location Madrid
CreditAttribution: tunic commented

I agree, and what is worse, you can't just disble the automatic validation. This can cause issues to users that are use latin characters in their mother tonge, as this case: http://drupal.stackexchange.com/questions/129809/password-may-contain-il...

I'll be happy to write a patch if maintainers aprove this change.

nielvrom’s picture

nielvrom CreditAttribution: nielvrom commented

This is a bad feature I think ... . I'm having the problem that my client wants to have é in his passwords but that's not possible with the LoginToBoggan module. A patch would be awesome!

gandhiano’s picture

gandhiano CreditAttribution: gandhiano commented
Version: 6.x-1.x-dev » 7.x-1.5

This problem is still existing on 7.x.

I also think this is a bug, or a very unwanted feature for the reasons already specified above. Are there otherwise any specific characters that would be wrongly stored on the DB, so that the user is unable to login afterwards?

cslevy’s picture

cslevy CreditAttribution: cslevy commented

Here is a patch which allows to customize this

https://www.drupal.org/node/2340577#comment-12001990