For passwords, I think you should allow anything the user wants to use, because no-one but the user will see or have to type it. Username is a bit more difficult.