How to Use Special Characters in Passwords (And Which Ones Work)
Every website tells you the same thing: "Your password must contain at least one special character." Cool. But which special characters? Do they all work? And does slapping an exclamation mark at the end of "Password1" really make it secure?
Short answer: no, it doesn't. But special characters do make passwords meaningfully harder to crack when used properly. Let me explain what actually matters and which symbols you should consider using.
What Counts as a "Special Character" in Passwords?
When websites say "special character," they usually mean any printable ASCII character that isn't a letter or number. Here's the standard set:
! @ # $ % ^ & * ( ) - _ = + [ ] { } | \ ; : ' " , . < > / ? ` ~
That's 32 characters. Some sites accept all of them. Some only accept a subset. Some are weirdly picky — I've seen sites that allow @ but not #, which makes no sense to me. You'll occasionally run into a site that rejects certain characters because their developers didn't handle input sanitization properly. That's their problem, not yours, but you still have to deal with it.
Why Special Characters Matter for Password Strength
Password cracking works by trying combinations. If your password only uses lowercase letters (26 options per character), a brute-force attack has a relatively small search space. Add uppercase (52 options), then numbers (62 options), then special characters (94+ options). Each character type you add makes the password exponentially harder to crack.
Let's put real numbers on this. An 8-character password using only lowercase letters has about 209 billion possible combinations. Sounds like a lot. A modern GPU can try those in under a minute. Add special characters to the mix and that same 8-character password has about 6.1 quadrillion combinations. That's roughly 30,000 times harder to crack.
But here's the thing most people miss: length matters more than complexity. A 16-character password of all lowercase letters is harder to crack than an 8-character password with every character type. The math is clear on this. Special characters help, but they're not magic. They're one ingredient.
The Most Common Special Characters People Use
Studies of leaked password databases tell an interesting story. When people are forced to add a special character, they overwhelmingly choose:
- ! — The champion. Usually stuck at the end. "MyPassword1!" is tragically common.
- @ — Second place. Often used as a substitute for "a" (like "P@ssword").
- . — Period. Frequently used in the middle of passwords.
- # — Popular with people who think it looks "techy."
- $ — Used as a substitute for "S" (like "Pa$$word").
Password crackers know this. Every good cracking tool has rules that account for these patterns. Replacing "a" with "@" or "s" with "$" fools nobody. These substitutions are literally in the first wave of guesses any decent cracking program tries.
Which Special Characters Should You Actually Use?
If you want to make a cracker's life harder, use less common special characters. Characters like ^, ~, `, |, and { } are used far less frequently in passwords. They're on your keyboard, but they're not the first thing anyone reaches for.
My personal favorite approach: scatter special characters throughout the password, not just at the beginning or end. "m&yD0g^likes~rain" is way better than "MyDogLikesRain!" even though the second one looks reasonable at first glance.
Some power users go even further and use Unicode characters — things like © ™ ñ ü or even symbols from our currency symbols or math symbols collection. A password containing ¥ or ∞ or µ would throw off most cracking dictionaries completely. The catch? Not every system accepts Unicode in passwords. Test it before you lock yourself out.
Special Characters That Cause Problems
Some characters are more trouble than they're worth in passwords. Here's my "use with caution" list:
- ' and " — Quotes. Some badly coded websites interpret these as SQL or string delimiters. You might get an error, or worse, your password gets truncated silently.
- \ — Backslash. Treated as an escape character in many systems. Can cause weird behavior.
- < and > — Angle brackets. Some sites strip these out thinking they're HTML tags.
- & — Ampersand. Can cause issues in URLs and form submissions.
- Spaces — Technically a character. Many sites allow them, but some trim leading/trailing spaces silently. If your password starts or ends with a space, you might not be able to log in later.
I've personally been burned by the backslash one. Had a password with a \ in it, worked fine on the website, couldn't log in through their mobile app. Different input handling. Lesson learned.
Password Managers and Special Characters
If you're using a password manager (and you really should be), the special character question becomes mostly academic. Password managers generate random strings like k$7Bx!m#9pL&2vQ that include a healthy mix of everything. You never have to type them, so it doesn't matter if they include awkward characters.
But even password managers have settings for which character types to include. When generating passwords, I recommend:
- Length: at least 16 characters (20+ for important accounts)
- All character types enabled
- Exclude characters that the specific site doesn't accept (most managers let you configure this)
- Avoid "ambiguous" characters if you might ever need to type it manually (0 vs O, 1 vs l, etc.)
The Passphrase Alternative
Here's an approach that's gaining popularity: instead of a short complex password, use a long passphrase with a few special characters mixed in. Something like "correct^horse$battery!staple" (don't use that specific one — it's famous from an xkcd comic and definitely in cracking dictionaries by now).
Passphrases work because length is king. Four random words with some symbols between them give you 30+ characters easily, and they're actually memorable. Try remembering k$7Bx!m#9 versus "purple~elephant*jumps~twice". One of those you can actually recall without checking your password manager.
The key word is random. "ilovemydog!" is a passphrase too, technically, but it's a terrible one. Use a random word generator, pick 4-5 words, and sprinkle in some symbols. Done.
How to Type Special Characters
Most special characters are right there on your keyboard. But some require key combinations:
- ~ (tilde): Shift + ` (the key left of 1)
- ^ (caret): Shift + 6
- | (pipe): Shift + \
- { } (braces): Shift + [ and Shift + ]
- < > (angle brackets): Shift + , and Shift + .
- ` (backtick): The key left of 1, no shift
On phone keyboards, special characters are usually behind a "123" or "?#=" button. Tap it, then sometimes tap another layer to find the less common ones. It varies by phone, but they're all there somewhere.
For the really exotic stuff — Unicode symbols like those on our check mark symbols or star symbols pages — you'd need to copy and paste them. Whether a given website accepts them in passwords is a coin flip.
Quick Tips for Better Passwords
- Use a password manager. This solves 90% of password problems.
- Make passwords long. 16 characters minimum.
- Include special characters, but don't just put one at the end.
- Don't do obvious substitutions (@ for a, $ for s). Crackers know all of these.
- Different password for every account. Reuse is the real killer.
- Enable two-factor authentication wherever possible. Even the best password isn't enough alone.
- Test your password before committing — especially if you used unusual characters.
The Bottom Line
Special characters in passwords genuinely help. They expand the search space and make brute-force attacks harder. But they're not a silver bullet. A short password with a special character (like "Cat!23") is still terrible. A long passphrase with some symbols mixed in (like "frozen~piano*cloud#seven") is excellent.
Use the full range of characters your keyboard offers. Mix them in unpredictable positions. And please, for the love of all things secure, stop putting "!" at the end and calling it a day.