On 04/30/2016 11:28 AM, Alice Wonder wrote: > Is there any advice on characters to allow in usernames? ... > I don't think a whitelist alphabet is best approach because of people > with names that are not spelled with Latin characters. > > Is there an existing blacklist of characters that technically legal > but are generally avoided in e-mail addresses? The RFC uses a list of allowed characters, and so must you. My advice is, first, don't write this yourself. There is almost certainly a library for validating RFC-compliant usernames in whatever programming language you use; locate one and use it. Second, when validating user names, you must be aware of the features of your email server. For instance, it may use the '-' character or the '+' character as a way to allow user-local extensions. Thus "example-foo," "example-bar," and "example" may all be the same user/mailbox. If you are not aware of this, then a new user might be set up as "example-bar" and one would mask the other. Either the old user would prevent the new one from receiving any mail, or the new one would begin intercepting some of the old user's mail. Thus, because a character is allowed by RFC does not mean that you should allow it in usernames. Third, you should be aware that non-ASCII support was defined in RFC 6531, in 2012. That's very recent as RFCs go, and it is not widely supported today. None of the mail servers shipped with CentOS 7, for instance, include such support. Even if you build your own software that supports the RFC, users with non-ASCII usernames will not be able to send or receive email with remote domains that don't include such support. https://en.wikipedia.org/wiki/Extended_SMTP#List_of_supporting_servers_3