How to clearly state to the User what characters are valid
I'm trying to determine the best way to inform the User that an input accepts certain special characters. Alphanumerics are simple enough, but I feel like I'm losing clarity when I get to characters such as . and -. One style I've tried is this:
Valid characters include A-z, 0-9, and (._-).
Where the parenthesis wrap the valid characters, but when the parenthesis are not valid, it seems too easy for them to be mistaken as part of the list.
The style I'm leaning towards is the following:
Valid Characters include A-z, 0-9, '.', '_', and '-'.
But I feel as though the single quotes clutter things up, and makes it easy to lose yourself in the list, especially as it grows. Is there any way to convey this information that's accepted as 'better', or are there in fact better ways to go about this entirely?
This is very closely related to another question about validation but I'm not sure if it's a duplicate. It might be.
@AndrewLeach It's definitely similar, but that question seems more related to When validation information should be displayed. I was concerned with verbiage. Unfortunately in my case, I have no choice as to the when.
For better user experience, a good rule of thumb for presenting such complex requirements is to question the actual requirements. Is it so absolutely neccessary to have this exact limitation? Could you go out of your way and change your systems (perhaps re-encoding or 'escaping' their original input) so that there aren't arbitrary sets of 'valid characters' anymore? The best UX for this message would be no message at all, except when completely abnormal edge cases are encountered ("Please don't input 2 gigabytes of text here").
Personally, I would really like it it if it just said "Your username must match the pattern _`insert-relevant-regex-here`_," because then there is no ambiguity about allowed characters, Unicode, allowed lengths, or any weird restrictions that some sites seem to like. Unfortunately, most users do not know regular expressions, so this is unlikely to ever happen.
Although the best solution is actually "don't impose these restrictions on your users".
Perhaps this is the opposite, but if you have a minimum requirement (common for password fields), then repeat the rules when someone gets their password wrong, not just when they create it. I get so frustrated with sites that require some arbitrary length or character pattern so I cannot use the password I want and can remember, so I have to modify. When I return and fail to log on with my preferred choice, a reminder of the rules will usually remind me how I modified it to fit.