Password-generating - which non-alphanumeric symbols can I use?

Question

I'd like to make a password generator - strictly for myself. I'd like four "levels" of characters, but I'm a bit unsure of which symbols should be in each of the three latter ones - since I don't know which symbols sites are likely to disallow. I know this is somewhat a question of "personal opinion" - but let's call it "experience" instead...

I'm not going to use any accented letters, letters from other alphabets (Greek, Cyrillic, ...), letters only used in a few countries (like letters specific to Scandinavia or Poland), or special symbols (like "masculine" or "upside-down question mark"). So please ignore these...

My four "levels":

• Upper-and lower-case letters, and digits
• Symbols, "always" allowed (if the site accept symbols in passwords, it accepts these)
• Symbols "usually" allowed (if the site allows more than the very minimal of symbols, it allows these too)
• Symbols "sometimes" forbidden (in the rare case some symbols are not allowed, it's usually some of these)

(...And while not applicable to my password-generator, are there any symbols that are almost always forbidden for various reasons?)

As for the fourth group, I'm particularly thinking of symbols likely to do "Bad Things" to PHP/ASP/JSP-scripts, JavaScript, HTML/CSS and SQL; and thus are often forbidden.

Answer 1

According to OWASP, which uses references from Microsoft AD, and Oracle Identity Manager, these symbols are allowed.

!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~

https://www.owasp.org/index.php/Password_special_characters

However, I suppose that only answers your "usually" question. OWASP further explains that "Various operating systems and applications may apply limitations to this set".

Which to me says, it's completely subjective. Meaning, if I'm an application developer, I can choose to utilize industry standards (OWASP), or use my own subset.

So, to answer the "always" question, I think it would be safe to assume that these are acceptable.

!#$%&()+-/:;@[\]^_|~

Additionally, given the above information, I would go with these as the "sometimes forbidden" options.

"$%'()*+,-./:;<=>[]`{}

Since this is somewhat of a subjective question, no answer given can be 100% accurate. I think this should help with your task though..

Answer 2

If I were you, I would look at what other password generators use. For instance Bitwarden uses the first 8 shift characters of the top row of a US QWERTY keyboard: !@#$%^&*

This seems like a good compromise, especially if you want to be able to type the passwords yourself and you also want to be able to do so when using someone else's computer with a different keyboard layout. In fact in that case I might also leave out the $. For instance, @ and ! are available on every Latin keyboard layout that I know of, but { and } only appear on very few.