"But the really startling bit is the use of non-alphanumeric or characters: Yep, less than 1% of passwords contained a non-alphanumeric character."
This doesn't surprise me at all. Non-alphanumeric characters are hostile for users to type in often. Add other peripherals like phones and a PS3 controller and it's even harder.
When the iPhone's App Store appeared I thought a lot about this because my password was really hard to type on it. One of the ideas that got through my mind was that password could be two fields instead of one and with simpler words. Just an idea, I have not much knowledge about this topic.
Hostile? Really? How is typing '$' instead of '4' any different from typing 'A' instead of 'a'? They both use the same shift key. Watch, I'll do it again. How about a seven? See? 7.
Now for the ampersand...just hold the 7 and reach for the shift key... &%$#$ FUCK! The little bastard just BIT ME!
I'm sorry, you're absolutely correct - those non-alphanumerics ARE hostile.
The services/apps are often hostile to it, in my experience. For a while I had a mental password-generation scheme that involved commas, and about 50% of websites would reject my password for having an illegal character, sometimes explicitly, other times just breaking in weird ways. After one site let me set my password to one involving a special character, but wouldn't let me enter that same password on the login form, I became wary of using special characters in passwords. (The site was a bank, not some random forum.)
Nah, they have a great reason - if they restrict you to alphanumeric characters, it's easier to prevent XSS when they display your password back to you later on in the flow :-).
My favorite is when I pick a 20 character password (keypass, ahoy!), and register using that. Works great, until I try and log in, whereupon I realize they silently cut off n characters from the end of the password when saving it on the backend.
Some systems restrict you to alphanumeric passwords (generally for no good reason). If you reuse your password across systems (or you have a formula for creating passwords) then you are less likely to use special characters in case 1 system requires a different one.
Additionally, entering symbols on a phone keypad or touch screen is usually a little harder.
& is physically more difficult to type than U because of the hand stretch from holding the shift key. Not everybody has the same size hands :). While typing letters is easy, special chars are more awkward just because of where they are on the keyboard.
This doesn't surprise me at all. Non-alphanumeric characters are hostile for users to type in often. Add other peripherals like phones and a PS3 controller and it's even harder.