I have had it with web sites that won’t let me put really secure passwords on my accounts. What do I mean by that? I mean sites that won’t allow anything other than letters and numbers in a password. WTF? I have a whole keyboard full of lovely glyphs to choose from; why limit me to 52 letters (upper and lower, assuming the developers are smart enough to know the difference) and ten digits?
By placing non-alphanumeric characters in a password, I am making it much harder to guess or crack. Yet there is a corps of web developers out there who force me to choose less secure passwords, because they won’t let me put punctuation in them. Why they do this, I can’t say. There is not a single compelling reason to exclude punctuation from passwords. Not one. I challenge any of you to give me a good reason for this restriction. In fact, it’s more work for the developers to check for these “offending” characters and scold the user for daring to use them! I’ve been stewing about this for a while, but this morning when I tried to setup an account at podiobooks.com and was told my password was not good enough for them, it sent me over the edge.
So, tech managers, here are your marching orders: Look at your site(s). If you have a restriction on what characters can go in a password, figure out which of your developers wrote that code, and fire them. Then, have someone else rewrite that bit of code the right way.
Joey Gibson's Blog 
Word.
I couldn’t agree more. One of the major banking websites that I use does this and it drives me crazy as well. I want a stronger password.
I’m guessing it’s the regular expressions used to validate passwords that are preventing you from using anything other than a-z, A-Z and 0-9. Instead of checking whether or not a password contains *at least* some pattern of alphanumerics, they often check for these pattern *and nothing else*.
Maybe to prevent encoding issues? Encoding can be a pain in the ass in some unexpected cases… Also, not all characters are present in all keyboards. These may cause some support nightmares they simply don’t want to have. 🙂
“In fact, it’s more work for the developers to check for these “offending” characters and scold the user for daring to use them!”
– Wrong! do you know punctuation marks in fields can really screw up queries against databases if not done properly. For legacy code, it’s almost always better to restrict punctuation mark in one place than santizing in 1000 places where its used.. otherwise a clever hacker to exploit it to gain access to your account .. Search for “SQL injection attack” for more information
but given that agreed.. there are ways to avoid this and ideally we should allow punctuation marks in passwords
Yes, Coder, I *do* know about SQL injection attacks. I’ve been doing this software thing for a very long time. I’ve built many, many systems over the years, and they ALL supported whatever the user wanted to use as their password. It’s really not that hard, it’s just lazy developers.