Who uses special characters in passwords? Nobody does that.
Want to take a guess at the title of the person who uttered the weak phrase of the week? Payroll clerk? Nope. Administrative assistant? Nope. VP? Nope.
An IT auditor! If you’ve read much of my stuff, you know that I’ve complained before that too many IT auditors don’t get it (or IT for that matter).
We were discussing the company’s password policy requirements, specifically the one that requires 3 of 4 complexity characteristics (upper and lower case letters, numbers, and special characters).
When the auditor uttered the comment noted above, I replied, “I use special characters in all my passwords.” To which said auditor replied (providing a bonus of two weak quotes not only in one week, but in one conversation),
Wow, that’s hard to believe. You must really have something to hide.
I took comfort in the fact that this auditor realized that special characters make a password harder to guess or crack. But inwardly I laughed, as he obviously doesn’t understand why everyone should use strong passwords (for more on this, see What’s the Fuss?).
In my experience, I found that people tend to avoid uppercase characters due to the extra keystroke required (shift key). Some special characters (, . / ) don’t require a shift key, so I’ve found that they are used more. But even when I’m shoulder surfing, I notice a lot of “top row” special characters being used, all which require a shift key.
See also Throw Password Rules Under the Bus?