Worst think about 1password, and lastpass when I uses it, it doesn't let you pick what special characters it uses, despite it being such a common thing on websites. So you have to manually add them, or swap out thing.
Enpass’ password generator has a field were you can enter characters not allowed.
Regretfully Enpass doesn’t store this field nor the rest of the complexity rule as part of the password entry. The next time when password has to be changed you have to figure out the underlying complexity rule again.
The old “abchkkunenukzimejienejsidmdjiwknevgjk bgiknhhhnnisplwkslandhgabsndmskalpaapowhsoslxiaiapjsbsnsnaja” is not secure, but “P@55w0rd” is super duper secure.
in our app we have a requirement that is similar.. I kicked and screamed and sent them spec documents from the NIST.. no one cared.. we have a max length of 10 chars... that SERIOUSLY hurts... 8 and 10 chars are our current requirements... plus some combination of numbers and special chars... WTFBBQ !!!!111...
I mean, if you insist on a 10-char maximum, then mandating symbols to increase the search space is a good idea, right? (Granted, that doesn't make a 10-char max sane)
Allowing symbols increases the search space, but requiring them reduces it.
And in practice this effect can be exaggerated when people don't use random passwords but must actually choose a password they'll remember - because what they'll actually do is choose something easy and then shove a symbol in there to meet your requirement. You may well allow 30+ different symbols, or even more, but the users will invariably pick one of a dozen or so that were easiest to reach on their keyboard and they may learn to be shy of characters that sometimes "don't work" such as quote marks and any local currency symbol even if those are easy to type.
