i do remember a conversation about this - searching for a link

found what I was thinking of but dont think it is relevant - sorry #29445

media/system/js/fields/passwordstrength.js is a 3rd party script - https://github.com/tkjaergaard/Password-Strength - that unfortunately has not been updated for some time. Addressing this issue would then either require us to rewrite the script as a native Joomla script, or update this one with an improved special characters check.

To do the latter, and after consulting our future overlord ChatGPT about special characters in passwords, it suggested the following characters to avoid:

Ambiguous Characters:
Sometimes it's recommended to avoid characters that can be easily mistaken for others, like l (lowercase L), I (uppercase i), O (uppercase o), and 0 (zero), especially in fonts where these characters look similar.
Non-ASCII Characters:
It's generally a good practice to avoid non-ASCII and extended ASCII characters in passwords, as they can cause issues with encoding and compatibility across different systems and platforms.

with the following characters recommended:

!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?~

A possible update to the regular expression check could then be:

score += this.constructor.calc(value, /[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?~]/g, this.special, mods);

why would you avoid characters because they look like others. you should never be reading it anyway

why would you avoid characters because they look like others. you should never be reading it anyway

I suppose this would be for passwords that people pick to remember and perhaps store in a hand-written or other text format. Using an ambiguous character would more likely lead them to make a mistake when entering in the password.

Please test #43484

closed as we have a PR