Survey on different systems

URL encoding

Since usernames are submitted as URL paramaters, they must be URL-encodable.

HTTP Basic authentication

Usernames must not contain a single colon (":") or ASCII control characters (0-31, 127). Additionally, the sequence "CR LF" followed by either a Space or a Horizontal Space is also a valid sequence.

For more information, please refer to Section 2, Basic Authentication Scheme of RFC2617^[1] for detailed information.

MediaWiki

In order for a username to be legal, the username must be a valid page title (For the user page). Illegal characters for page titles are^[2]

#<>[]|{}

Certain character sequences ("/..", etc.) are also illegal^[3] but are already filtered by the general check.

Certain special usernames are also filtered: Characters that look like IPv6 or IPv6 characters and interesting Unicode characters, see User::isValidUserName() in includes/User.php:

$unicodeBlacklist = '/[' .
    '\x{0080}-\x{009f}' . # iso-8859-1 control chars
    '\x{00a0}' .          # non-breaking space
    '\x{2000}-\x{200f}' . # various whitespace
    '\x{2028}-\x{202f}' . # breaks and control chars
    '\x{3000}' .          # ideographic space
    '\x{e000}-\x{f8ff}' . # private use
    ']/u';

Additionally, MediaWiki filters new usernames that contain an "@" sign^[4].

The maximum username length is 255 bytes (which is less then 255 characters, if you use multibyte characters). This is checked both by $wgMaxNameChars and by page name restrictions.

Drupal

(fsinf.at)

http://api.drupal.org/api/drupal/modules--user--user.module/function/user_validate_name/6

vBulletin

(informatik-forum.at)

phpBB

" and " are always invalid.

By default, usernames are restricted to 'USERNAME_CHARS_ANY', which expands to the regex "^.+$"

Wordpress

XMPP

XMPP allows usernames in unicode, but some characters are forbidden:

"&'/:<>@

... as well as:

ASCII Space characters
Non-ASCII Space characters
ASCII Control characters
Non-ASCII Control characters

Linux system accounts

On Debian, usernames must neither start with a dash ("-") nor contain a colon (":") or any type of whitespace (" ", newline, etc.) and usernames may be up to 32 characters long^[5]. Apparently, a slash ("/") is even a valid username, but you don't want this.

Windows system accounts

Windows has several reserved names that cannot be a valid username^[6]. Additionally, some characters are invalid:

"/\[]:;|=,+*?<>

Otherwise, usernames can contain all other special characters, including spaces, periods, dashes, and underscores^[7].

Email

Wikipedia provides good reference^[8]:

The local-part of the e-mail address may use any of these ASCII characters:

Uppercase and lowercase English letters (a–z, A–Z)
Digits 0 to 9
Characters ! # $ % & ' * + - / = ? ^ _ ` { | } ~
Character . (dot, period, full stop) provided that it is not the first or last character, and provided also that it does not appear two or more times consecutively (e.g. John..Doe@example.com).

Summary

ASCII table

char	URLs	HTTP basic auth	MediaWiki	phpBB	XMPP	Linux	Email	RestAuth
	Y	Y	Y		N	N	N
!	Y	Y			Y	Y^{[n 1]}	Y
"	Y	Y		N	N	Y^{[n 1]}	N
#	Y	Y	N		Y	Y^{[n 1]}	Y
$	Y	Y			Y	Y^{[n 1]}	Y
%	Y	Y			Y	Y^{[n 1]}	Y
&	Y	Y			N	Y^{[n 1]}	Y
'	Y	Y			N	Y^{[n 1]}	Y
(	Y	Y			Y	Y^{[n 1]}	N
)	Y	Y			Y	Y^{[n 1]}	N
*	Y	Y			Y	Y^{[n 1]}	Y
+	Y	Y			Y	Y^{[n 1]}	Y^{[n 2]}
,	Y	Y			Y	Y^{[n 1]}	N
-	Y	Y			Y	Y^{[n 3]}	Y
.	Y	Y			Y	Y^{[n 1]}	Y^{[n 4]}
/	Y^{[n 5]}	Y			N	N	Y	N
[0-9]	Y	Y			Y	Y^{[n 6]}	Y
:	Y	N	Y^{[n 3]}^{[n 7]}		N	N	N
;	Y	Y			Y	Y^{[n 1]}	N
<	Y	Y	N		N	Y^{[n 1]}	N
=	Y	Y			Y	Y^{[n 1]}	Y
>	Y	Y	N		N	Y^{[n 1]}	N
?	Y	Y			Y	Y^{[n 1]}	Y
@	Y	Y	Y^{[n 8]}		N	Y^{[n 1]}	N
[A-Z]	Y	Y			Y	Y^{[n 1]}	Y^{[n 9]}
[	Y	Y	N		Y	Y^{[n 1]}	N
\	Y	Y			Y	Y^{[n 1]}	N
]	Y	Y	N		Y	Y^{[n 1]}	N
^	Y	Y			Y	Y^{[n 1]}	Y
_	Y	Y			Y	Y	Y
`	Y	Y			Y	Y^{[n 1]}	Y
[a-z]	Y	Y			Y	Y	Y
{	Y	Y	N		Y	Y^{[n 1]}	Y
\|	Y	Y	N		Y	Y^{[n 1]}	Y
}	Y	Y	N		Y	Y^{[n 1]}	Y
~	Y	Y			Y	Y^{[n 1]}	Y

↑ ^1.00 ^1.01 ^1.02 ^1.03 ^1.04 ^1.05 ^1.06 ^1.07 ^1.08 ^1.09 ^1.10 ^1.11 ^1.12 ^1.13 ^1.14 ^1.15 ^1.16 ^1.17 ^1.18 ^1.19 ^1.20 ^1.21 ^1.22 ^1.23 ^1.24 ^1.25 ^1.26 ^1.27 ^1.28 Not recommended
↑ often used as tag delimiter
↑ ^3.0 ^3.1 must not start with this character
↑ not the first or last character, must not appear twice in a row
↑ Only theoretically supported, using it works very different depending on Django setup.
↑ Not recommended at start of username
↑ If the part before the ':' collides with a namespace or interwiki prefix, it is illegal to
↑ Blocked during account creation, see #MediaWiki.
↑ In practice, many systems are case insensitive

Minimum/Maximum username length

	URLs	HTTP basic auth	MediaWiki	Drupal	vBulletin	phpBB	WordPress	XMPP	Linux	Windows	Email	RestAuth
min	1	1							1
max	-^{[m 1]}	-	255 bytes^{[m 2]}						32

↑ dependent on the webserver
↑ http://meta.wikimedia.org/wiki/Help:Page_Name#Maximum_page_name_length

Conclusions

Names containing slashes ('/'), colons (':') and backslashes ("\") are illegal, no matter what. This makes our whole life easier.
Names containing ASCII control characters (<= 31, NOT space!) and DEL (#127) are also illegal. Note that this actually makes some usernames that could be used in an URL illegal: URLs can contain CRLF SP|HP according to the RFC!

Username considerations

Contents