password limitations in SQL Server and MySql

Question

Does MySql 5.1 and SQL Server 2008 (Web edition, Standard) have any functional password limitations other than length limits? Are metacharacters in any form a bad idea to use, like bang, pipe, hash, any slash, carrot, and so on?

I know that MySql 5.1 has a password length limitation of 16 characters that is hardcoded, but I was wondering, are any metacharacters (i.e. non alphanumerics) a bad idea to use? And is this true in SQL Server 2008 Web edition, Standard?

So specifically: can symbols like:

/`~>:}{[]^ be used successfully?

I would hope it doesn't matter to the database, but I don't understand enough about password storage in enterprise database systems yet to know for sure, and I was looking for confirmation or an explanation.

Answer 1

In my experience, it's the backslash \ and the single quote ' that you'll want to avoid in a MySQL password. From my tests, the following special characters appear to be fine to use:

!@#$%^&*:./?=+-_[]{}()<>

Also, 32-character passwords seem to be okay to use, too.

Answer 2

Watch out, even though MYSQL may work, your php/http daemon/.htaccess may do some wierdness to the req's before passing them along, I had a password with ( $ and ! in it, and it did NOT work from php-mysql based web page, but DID work from the console... 8 character password. $db_pass = "($JlKl1!"; And what do you know, it fails. change the password to "test" . and bam, it works. Change the password to something ridiculously long, (and entirely devoid of "$" or "!" or "(" ) and it also worked.

Answer 3

All these characters are good in SQL Server passwords, but the docs to back it up are sketchy.

The MSDN documentation on SQL Server password strength implies that any symbol including whitespace characters is allowed in SQL Server passwords, but if it contains white space it must be delimited in T-SQL statements.

Microsoft SQL Server passwords can contain up to 128 characters, including letters, symbols, and digits. Because logins, user names, roles, and passwords are frequently used in Transact-SQL statements, certain symbols must be enclosed by double quotation marks (") or square brackets ([ ]). Use these delimiters in Transact-SQL statements when the SQL Server login, user, role, or password has the following characteristics:

• Contains or starts with a space character.

• Starts with the $ or @ character.

The MSDN documentation on password policy explicitly confirms the following characters are allowed: ! $ # %

And, as you'd already know, the same documentation strongly encourages that you use passwords which are "as long and complex as possible."

Answer 4

 mysql> create user test identified by '/`~>:}{[]^';
 Query OK, 0 rows affected (0.13 sec)

yes - you can actually login now with this command line:

 C:\Documents and Settings\rbouman2>mysql -utest -h127.0.0.1 -P3351 -p
 Enter password: **********

I tried entering the password directly after -p, but that didn't work for windows - it thinks i want to invoke more if I do that. but I am 100% sure that's on the windows shell. MySQL itself feels this is a valid password.