Is it not good to use Password with Special Character
I'm trying to find the best degree of entropy for a password template, and after carrying out several tests, the best result came from this: à.
This symbol by itself adds 160 characters to the set (contrary to lower-upper case letters, numbers, or even symbols) and is readily available from a Spanish keyboard such as the one I use, which looks perfect.
However, I am unable to find any information about it. All password generation software seems to avoid using those, and I don't know why.
A password like +9qQ¨{^ adds up to 254 charset size, +9qQ¨{^aaaa has 67 bits of entropy already, setting the easy-to-remember factor aside, is it not good to use a password with a special character?
Most of the so-called password strength checkers understand neither passwords nor entropy correctly. I have always found something ridiculous that passes as a strong password. Try your name plus your birthdate (with dots or slashes, as your locale requires). There's your upper and lowercase, special characters password and numbers right there, and yet nobody in their right mind would recommend that as a password.
And yet "JohnDoe01.01.1980" scores "220 trillion years" on https://howsecureismypassword.net/ and 100% on http://www.passwordmeter.com/. https://www.my1login.com/resources/password-strength-test/ is the only checker I found that understands the stupidity - enter this example and watch how its estimate goes from "fantastic" to "medium" as you enter the last number and it "gets" that there's a calendar date.
So: Use more than the primitive entropy calculation engines to judge passwords.
For your specific case that means:
On paper extending the character set dramatically increases the search space, and should make passwords radically more secure. in reality, 99.9% of users will use their own locale and a Spanish a or a german umlaut are just a few additional characters and not the entire UTF-8 space. Because you'd be silly to assume that an attacker doesn't take basic human nature into account.
There are also usability aspects. I once had to log into my account remotely from a Japanese Internet cafe, and that was decidedly not fun. If my username, password, or any of the commands I needed had included non-ASCII characters, I don't think there would have been any way of making that happen. If it is remotely possible that you may have to log into your machine from a different keyboard then the one you are using now, too-special characters will keep you out of your own account better than a forgotten password could. And let's not even talk about Unicode and its many broken implementations, which could cause additional issues. These are also some of the reasons password generators avoid non-ASCII characters: Not enough added security to compensate for all the potential problems
Password Special Characters on US Keyboard
Here is a list of password special characters. Along with password special characters we list also the respective English name and the Unicode version. We recommend using at least 5 special characters in a password to make it strong.
Character
Name
Unicode
!
Exclamation
U+0021
"
Double quote
U+0022
#
A number sign (hash)
U+0023
$
Dollar sign
U+0024
%
Percent
U+0025
&
Ampersand
U+0026
'
Single quote
U+0027
(
Left parenthesis
U+0028
)
Right parenthesis
U+0029
*
Asterisk
U+002A
+
Plus
U+002B
,
Comma
U+002C
-
Minus
U+002D
.
Full stop
U+002E
/
Slash
U+002F
:
Colon
U+003A
;
Semicolon
U+003B
<
Less xss=removed>
Greater than
U+003E
?
Question mark
U+003F
@
At sign
U+0040
[
Left bracket
U+005B
Backslash
U+005C
]
Right bracket
U+005D
^
Caret
U+005E
_
Underscore
U+005F
`
Grave accent (backtick)
U+0060
{
Left brace
U+007B
|
Vertical bar
U+007C
}
Right brace
U+007D
~
Tilde
U+007E