Why is a backslash "\" prohibited in passwords?

You can’t use a backslash because it’s a special escaping character in PHP. Using that can create some strange and unwanted behaviour if it’s used in the right (well, wrong) ways.

Shouldn’t backslashes in a password be a non-issue because they’re hashed? If they cause strange behavior in the code, the code has serious issues.

That is sort of correct. In a perfect world, a backslahs won’t cause a problem, but in the PHP world it can. These two strings:

• "\t"
• '\t'

mean completely different things. Dealing with backslashes is not as easy as saying “just hash it” becaues things change depending on how the strings are treated, and any changes in that will cause the passwords to be invalid. I can’t speak for the original authors of the login/logout/authentication functions, but I can see why it wasn’t allowed from the start thanks to the potential issues that can crop up from it’s use.

As for why it can’t be chnaged, you’d have to ask the dev team about that. There’s several way sto enquire like that, but if you want the best chance of a reply, your best bet is to work out a patch/patches that will work with backslashes throughout the authentication system, and sumib the patch as aprt of a Trac ticekt. Not only will that give you a nice warm fuzzy feeling about giving back, but you’ll also have a better chance of having osmeone listen rather then complaining about it without giving any suggestions on how to work around the issue.