diff --git a/detect_secrets/plugins/basic_auth.py b/detect_secrets/plugins/basic_auth.py
index b95b4a3b..22ff953d 100644
--- a/detect_secrets/plugins/basic_auth.py
+++ b/detect_secrets/plugins/basic_auth.py
@@ -5,8 +5,13 @@
 from .base import RegexBasedDetector
 
 
+# This list is derived from RFC 3986 Section 2.2.
+#
+# We do not expect any of these delimiter characters to appear in
+# the username/password component of the URL, seeing that this would probably
+# result in an unexpected URL parsing (and probably won't even work).
 RESERVED_CHARACTERS = ':/?#[]@'
-SUB_DELIMITER_CHARACTERS = '!$&\';'  # and anything else we might need
+SUB_DELIMITER_CHARACTERS = '!$&\'()*+,;='
 
 
 class BasicAuthDetector(RegexBasedDetector):