Which non-alphanumeric characters do or don't qualify for password policy?

Is there a definitive list of non-alphanumeric characters that fulfill the password policy setting to Require a non-alphanumeric character? Or, is there at least some enumeration or definition of characters that don’t fulfill the policy?

The list of examples in that reference article, ; , " ' ? < > { } & ^ % $ # @ ! * . / - + = ~ ,, is seemingly non-exhaustive. In spot-checking other characters in an Input element set to Check the password while typing, I observe qualifying characters omitted from the examples, such as ()\| and even an emoji (😀), as well as at least one character that doesn’t qualify, :.

Some further testing…

  • Latin alphabet letters with diacriticals, such as é ñ, seem to quality as non-alphanumeric characters. That’s counterintuitive, but suggests that Bubble’s validation might be referencing the regex character class “word”, whose letters are limited to the literal A-z ASCII characters. For example, \W.
  • Underscore seems to qualify as a non-alphanumeric character: _. That’s, of course, intuitive, but of note since that character is lumped together with alphanumeric characters in the regex “word” character class. So, Bubble is seemingly not using the regex \W after all.

It would be great to know precisely how Bubble is validating each of its password policy settings so that we could mimic those tests in communicating to users whether a new password conforms to each policy requirement. Better yet, Bubble could expose for a password input a yes/no property for the input value’s conformance with each policy requirement, just like it already exposes an aggregated password strength property.

If this sounds helpful to you, consider upvoting the idea I submitted: Expose properties reflecting password input value’s conformance with password policy requirements | Bubble.

Pretty wild that it’s not in the manual (similar to slug and others) that we are still in the dark on :frowning:

@petter is it possible to get the manual to list exactly what characters are considered what?

2 Likes

Good suggestion @code-escapee,

The core reference has been extended with a better description and the regex.

It’s difficult to provide an exhaustive list, since the regex [^a-zA-Z\d\s:] will match any character that is not a Latin letter (both uppercase and lowercase), a digit, a space, or a colon.

This includes a big range of characters, such as:

  • Special characters: !, @, #, $, %, ^, &, *, (, ), _, +, =, {, }, [, ], |, , ;, ', ", <, >, , ., ?, /
  • Accented characters: é, ö, ü, ñ
  • Non-Latin characters: α, β, γ, д, ж, ш, 漢, 字
  • Symbols: ©, ®, ✓, •
  • Emojis: :grinning:, :tada:, :heart:

So it’s better to think of it the other way around; not what it is, but what it isn’t.

2 Likes

Excellent! Thanks a lot for the precision, @petter. That’s exactly the approach needed for all reference documentation. I look forward to implementing an improved user experience now that I can confidently create conditions based on what truly conforms with this specific password policy.

Thanks also, @code-escapee, for helping get my question addressed.

1 Like