I'm going through a bunch of accounts at the moment changing my passwords, some of them are looking a little weak and i've reused them, but i keep coming across websites that don't allow you to use symbols in the password, including my bank.
Why would websites not allow symbols and cap the password at 20?
From what i've read length is better than symbols, but surely letting the user choose a long password with symbols is even better?
Disallowing symbols is usually a sign that someone in the development process heard about SQL injection, code injection, or cross-site scripting and decided to take a brute-force approach to preventing it rather than going to the effort of understanding what the real risks and prevention techniques are.
Length limits are either a sign that someone didn't think carefully when defining input limitations, or a sign that your password is stored directly rather than hashed and the database field only allows a certain amount of space for the password.
In the specific case that passwords are limited to 8 characters of printable ASCII, it is usually a sign that either the passwords are hashed using the obsolete DES crypt() function, or the software was developed by someone whose mind is stuck in the DES crypt() era.
Up front: Yes, a long password with symbols has more average entropy than a long password without.
Ultimately password security choices are left up to the people who design the systems that you use. There may be other additional security features that they use to secure your account information other than a username and password combination. IP/Network information can be used liberally to corroborate your identity with your logins. As an example, let's say you access your account from a public library on a different ISP than you normally use. Your bank may freeze your online banking account and contact you by phone at the phone number you have on file to verify your identity. It's just one example, but you get the idea.
Some may have other reasons for banning the use of symbols in their passwords due to poor data verification that could expose their systems to attack. Maybe it's just cheaper to do that instead of actually hiring a bunch of people to fix the problem for good. Who knows?
You do have a choice in the matter, and if that limitation bothers you, find a new provider for the services that you use on their site. You can always make that choice.
