You would never have to filter a password. In general, you shouldn't rely on filtering, but rather on escaping. Escaping always work, whereas filtering can have subtle edge cases. The only place where you should resort to filtering, is when you (for some reason) need to display input as code. But it's important to stress that filtering is less safe than escaping - it's not the other way around. That's counter-intuitive, so a lot of people get it wrong.