diff --git a/UPGRADING.md b/UPGRADING.md
index 1953768..db2f87d 100644
--- a/UPGRADING.md
+++ b/UPGRADING.md
@@ -15,12 +15,14 @@ because it wasn't known if these would show up in barcodes. In more than 13
 years of real world use, though, it seems that barcodes and usernames with
 "special" characters are incredibly uncommon.
 
-Usernames must now only contain the characters from the set `A-Za-z0-9_-`.
-Existing usernames with special characters can be used by quoting the username.
+Since `' " \ ;` now have special meanings, they are no longer supported in
+product IDs. In theory, they could be quoted or escaped, but barcode scanners
+don't know that. Existing users with those characters in their names can
+continue to use their accounts by quoting or escaping them.
 
-Since `'`, `"`, `\`, and `;` now have special meanings, they are no longer
-supported in product IDs. In theory, they could be quoted or escaped, but
-barcode scanners don't know that.
+New usernames must now only contain the characters from the set 
+`A-Z a-z 0-9 _ - + / ^ * [] {}` and the first character must not be any of
+`- + / ^ *`.
 
 ## Update scripts that run revbank commands
 
diff --git a/plugins/adduser b/plugins/adduser
index 24b764d..b99d2b3 100644
--- a/plugins/adduser
+++ b/plugins/adduser
@@ -15,13 +15,13 @@ sub command :Tab(adduser) ($self, $cart, $command, @) {
 }
 
 sub username($self, $cart, $name, @) {
-    return REJECT, "Sorry, whitespace is not allowed."
-        if $name =~ /\s/;
+    return REJECT, "Sorry, only A-Z a-z 0-9 _ - + / ^ * [] {} are allowed."
+        if $name !~ /^[A-Za-z0-9_\-+\/\^*\[\]{}-]+\z/;
 
-    return REJECT, "Sorry, invalid first character."
-        if $name =~ /^[-+*]/;
+    return REJECT, "Sorry, - + / ^ * are not allowed as the first character."
+        if $name =~ /^[-+*\/\^]/;
 
-    return REJECT, "That's too numeric to be a user name."
+    return REJECT, "Sorry, that's too numeric to be a user name."
         if defined parse_amount($name);
 
     return REJECT, "That name already exists."