Is it bad to use special characters in passwords?

Question

I'm trying to find the best degree of entropy for a password template, and after carrying out several tests, the best result came from this: à.

This symbol alone adds 160 characters to the set (contrary to lower-upper case letters, numbers, or even symbols) and is readily available from a Spanish keyboard such as the one I use, which looks perfect.

However, I can't find any information about this, all password generation software seems to avoid using those, and I don't know why.

A password like +9qQ¨{^ adds up to 254 charset size, +9qQ¨{^aaaa has 67 bits of entropy already, setting the ease-to-remember factor aside, is there any reason to avoid using these special characters?

Answer 1

Language-specific characters are typically avoided by password generators because they would not be universally available (US keyboards don't have accented characters, for instance). So don't take their omission from these tools as an indication that they might be weak or problematic.

The larger the symbol set (a-z, A-Z, 0-9, etc.) the larger the pool of possible characters to try to guess when bruteforcing a password. Adding language-specific characters adds to the pool, and that can be a good thing.

But be careful about how you calculate entropy. The string ààààààààààà doesn't have a lot of entropy if you are just hitting it on your keyboard because it's convenient. Entropy is about how the characters are chosen. A randomly chosen string has high entropy and a randomly chosen string from a wide pool of characters has higher entropy.

Answer 2

YES!

All passwords should only contain printable ASCII characters. Not "Extended ASCII", not Latin-1, not Unicode.

The reason is that you never know what is actually received by a program when you press "à" or similar.

In many version of "Extended ASCII", "à" is encoded as (hex)85.
In ISO Latin-1, "à" is encoded as (hex)E0.
In Unicode "à" is codepoint U+00E0. When encoded with UTF-8, the result is (hex)C3(hex)A0.

Justin Time points out in a comment that there is another possibility. Even if everybody talks Unicode, "à" can be stored in different ways. There is U+00E0 as listed above, but there is also a composed version (U+0061 U+0300) which is "a" followed by (COMBINING GRAVE ACCENT). A correctly written program will handle this, but it is extremely common to have bugs in this area.

Anybody who has a national character in their name or address has seen them mangled in many different ways. When this happens, it is just ugly, but the letter usually gets delivered anyway.

When this happens to a password, the result is that you cannot log in! Just don't go there.

Answer 3

Most of the so-called password strength checkers understand neither passwords nor entropy correctly. I have always found something ridiculous that passes as a strong password. Try your name plus your birthdate (with dots or slashes, as your locale requires). There's your upper and lowercase, special characters and numbers right there, and yet nobody in their right mind would recommend that as a password.

And yet "JohnDoe01.01.1980" scores "220 trillion years" on https://howsecureismypassword.net/ and 100% on http://www.passwordmeter.com/.

https://www.my1login.com/resources/password-strength-test/ is the only checker I found that understands the stupidity - enter this example and watch how its estimate goes from "fantastic" to "medium" as you enter the last number and it "gets" that there's a calendar date.

So: Use more than the primitive entropy calculation engines to judge passwords.

For your specific case that means:

on paper extending the character set dramatically increases the search space, and should make passwords radically more secure. in reality 99.9% of users will use their own locale and a spanish a or a german umlaut are just a few additional characters, and not the entire UTF-8 space. Because you'd be silly to assume that an attacker doesn't take basic human nature into account.

There are also the usability aspects. I once had to log into my account remotely from a japanese Internet cafe, and that was decidedly not fun. If my username, password or any of the commands I needed had included non-ASCII characters, I don't think there would have been any way of making that happen.

If it is remotely possible that you may have to log into your machine from a different keyboard then the one you are using now, too-special characters will keep you out of your own account better than a forgotten password could.

And let's not even talk about Unicode and its many broken implementations, which could cause additional issues.

These are also some of the reasons password generators avoid non-ASCII characters:

Not enough added security to compensate for all the potential problems.

---

And please, please, pretty please - stop thinking about password complexity. It's a snakeoil strawman bridge. Length beats complexity any day and if you're using password generators you are probably also storing them in a password manager and don't care if you type 10, 20, 40 or 200 characters.

The #1 best hint for password security is to use a new, long, random password for every Internet site you register with, so your password isn't lost in the next hack. Because you can't be sure they properly hash and salt them, and if they don't then all the complexity and special characters in the world don't matter one bit.

Answer 4

To calculate entropy, you need a well defined method of generating random strings. Consider the following string.

abcdef

If you told a computer with good random number generator to generate 6 lowercase letters and just happened to get this particular sequence, then you have log₂(26⁶) bits of entropy (28 bits of entropy). However, if your random string generator always returns "abcdef", then you have effectively 0 bits of entropy. Entropy calculations assume attackers know how you generate your passwords.

In your question, you specifically mentioned à character. You didn't specify an algorithm, so let me propose one. Pick any particular password generation algorithm (the choice doesn't matter), and always put à at end of it. How many bits of entropy does this add? The answer is 0 as the number of possible passwords that could be generated did not change.

But let's say you modified an algorithm that generates random characters to add à character into possible output characters. Doing so will add log₂((alphabet + 1)^size) - log₂(alphabet^size) bits of entropy. This doesn't provide all that much value, for 50 characters random passwords with alphabet size of 62 (lowercase + uppercase + digits), this will merely add a single bit of entropy. You can get much better result by adding 1 character to a password, which adds about 6 bits of entropy.

Additionally, adding à to your alphabet introduces a cost of having a character that isn't necessarily on any keyboard you may want to type the password on.

Answer 5

It can be bad if the login system is poorly implemented. Given that I still seem to see a lot of systems that (possibly for legacy reasons) still have maximum password lengths and have silly password rules about what characters are allowed (or worse, disallowed), I do not trust non-ASCII characters to make it through unscathed with a high degree of confidence. It certainly would be bad if you were allowed to set the password with a non-ASCII character but that the login process mangled it.

For systems that do enforce maximum password lengths, you also have to consider the ambiguity of how password length is actually measured. Is it a number of bytes? In what encoding? Is it a number of code points? Number of grapheme clusters? For example, if a system limits password length based on the number of bytes in UTF-8, then using a non-ASCII character would consume more bytes and could reduce entropy.

Answer 6

While a number of answers have provided solid information regarding entropy, the question asked was "... is there any reason to avoid using these special characters?"

Some computer password systems will only accept alphanumeric characters plus a limited range of characters such as an underscore (_) or hyphen (-). All other characters are forbidden.

In some complex applications there can be legacy systems using screen scrapping that can corrupt the translation of special characters in text strings. The catch is you can not know how an application has been implemented.There may or may not be legislation setting minimum standards.

At any point in a chain where character sets are changed there is the possibility of special characters being dropped or corrupted.

Don't assume the application that accepts your initial password for registration is the same application that accepts your password for validation. I must admit if I every experienced a system that badly implemented I would avoid the system like the plague.

Answer 7

It depends where and how you use the password.

If you're using a password manager e.g. on a usb stick, there is no problem that the password is typed-in correctly on all machines, due to copy and past.

When you have to use the password on special devices (smart TVs, fridge, devices where you can't insert a USB stick or aren't allowed to) or when there is a reasonably high chance the login process is shitty implemented, then I would only use ASCII characters found on US-Keyboards.

Answer 8

Entropy is not a property of passwords. It is a property of password generation methods (or more generally, a property of probability distributions). Specifically, it is the expected number of bits of information that an attacker would need in order to identify the specific password that was generated, assuming they know the method that was used. If all possible passwords that you might generate have the same probability, this simplifies to an entropy of log₂(number of possible passwords).

• So if your method is to select à, you have an entropy of 0; no additional information is needed to identify which of the single possible passwords was selected.
• If your password is a sequence of somewhere between 1 and 16 às, you have an entropy of 4, since there are 16 possibilities and log₂(16) = 4.

• If your password is three numbers between 0 and 15 inclusive, selected uniformly and independently, your entropy is 12, since there are 16³ possibilities and log₂(16³) = log₂(16)*3 = 12.

  But the password 15 3 7 doesn't have an entropy, because it's not a probability distribution; it's an item that was selected from one.

Tools that claim to give you the entropy of a password are actually guessing as to what method you likely used to generate that password (and almost certainly guessing wrong), and giving you the entropy of the method they think you used. They report a high entropy for passwords with special characters because they believe the password was selected using a method that might have generated any special character in any position. If this assumption is false (which it is), then the entropy they report is nonsense.

Using special characters in passwords is neither good nor bad. It doesn't matter which characters might end up in your password. It matters how many possibilities there are.

Answer 9

Yes, in some cases. For example:

1) If it is a situation where the password must be remembered, adding or requiring special characters reduces security because it increases likelihood that users will violate password policies around not storing them, or will just write those passwords down. Either case causes a much greater security risk than having less complex passwords.

Also for example, consider this series of passwords, changed every 90 days and using special characters to meet an excessive password requirement:

   Th1s$ecuritySucks!
   Th2s#ecuritySucks!
   Th3s@ecuritySucks!

Imagine the first two passwords were exposed... Even after changing to the third password, it would be easy to guess the current password on seeing the first two.

2) Adding entropy for entropy's sake can be a waste of resources better spend solving other security issues. If locking down a system (for example vs. a file), you would get more benefit from making sure all other avenues of attack are blocked... Meaning, making a rock-hard prevention of any extensive repeat guessing is far better than trying to make a password where more guesses are required.

If you have nothing better to do and the password does not need to be held in human memory or typed (or at least not typed from unknown / potentially different systems) though, it would not necessarily be harmful.

Answer 10

No, it's not bad to use “special” (better: non-ASCII) characters in passwords.

As a user, all you have to do is

1. trust the website that it will never come up with a non-UTF-8 login form,
2. make sure you will always be able to type your password when you need to do so.

If you know you may have to type your password on a foreign physical keyboard, you must be able to remember (or else, to look up) the position of the keys that produce your non-ASCII character(s) (BTW, à on a Spanish keyboard is 2 keystrokes). As for the layout, all operating system will let you change it, so that's not a problem.

The advantage of non-ASCII characters is that password cracking software is, IMHO, unlikely to try them out. If it did, it would explore passwords with a lower probability, at the expense of longer ASCII passwords, which have a higher probability of being used.

Answer 11

Extended ASCII (0-255) is fine as you can dial them anyway by using alt+ numerical keypad.

Any other character outside extended ASCII will not always work because your possibility to write it is dependent on the specific system configuration. Some systems may be locked/configured not to allow anything UTF-like.

So if you have a specific system and a specific language set, you may use something special for your login, but if you need a password to work from anywhere on any system, do limit yourself to ASCII.

Something like these will give you quite a lot of entropy and be generally not tested by most password brute-forcers:

≡±≥▀Γ▄

I used to even use 3-4 character passwords (for things like lab system accesses) many years ago since the characters were not on the keyboard.

Statistically, a brute-forcing software that is adapted for a specific region will also much more likely hit successes on UTF-8 compared to using extended ASCII.

Answer 12

I use Unicode characters in passwords, and sometimes a password change is blocked (forbidden characters), or goes through and then requires a password reinitialisation (some encoding problem). It’s very system dependant.