Since the only thing you'll do with the password string is to get its MD5 signature and insert or compare the MD5 to the database, there's no reason to limit the characters being used. (If someone figures out how to include a null byte in their password string, more power to them!) Just check for min and max length (maybe not even max length).

As for user name, sticking to strings that match /^[-\w.]{4,10}$/ should suffice; that allows 4 to 10 characters that must all be alphanumeric, underscore, dash or period. (Adjust length constraints to suit your taste.)