A special character is any symbol that isn’t a letter or number, like ! @ # $ % ^ & * ( ) – _ + = { } [ ] : ; “ ” ‘ ’ , . ? / \ | ~.
You’ve seen the prompt: “Add at least one special character.” Then you try a symbol and the site rejects it. Or it accepts it, then your phone keyboard makes it a pain to type on the next login. That whole cycle is common, and it’s fixable once you know what “special character” means in password terms, which symbols usually count, and why some systems still block certain ones.
This article gives you a clean definition, a practical list, and the gotchas that matter in real logins. It also shows how to use symbols in a way that helps without turning your password into something you can’t reliably enter on every device.
What counts as a special character
In password rules, “special character” usually means “non-alphanumeric.” In plain terms: not A–Z, not a–z, not 0–9. It’s punctuation and symbols.
Most sites treat these as special characters: ! @ # $ % ^ & * ( ) _ + – = { } [ ] : ; “ ” ‘ ’ < > , . ? / \ | ~. Some also treat a space as special, and some accept Unicode symbols beyond the basic keyboard set.
One catch: there’s no global standard that forces every system to accept every symbol. A login form might accept a character you can type, while the back-end validator rejects it. Another site might accept it, then break it during password reset emails or legacy integrations. That’s why “special character” can feel slippery.
Why special characters are used in passwords
Symbols expand the pool of characters you can use. More options can raise the number of possible combinations for a given length, which can make guessing harder in some attack scenarios.
But the bigger story in modern password guidance is not “stuff your password with symbols.” It’s “make passwords longer, and don’t force awkward composition rules.” NIST’s digital identity guidance says verifiers should not impose extra complexity requirements beyond length and basic checks, and it emphasizes screening against known-bad passwords instead of requiring character mixes. NIST SP 800-63B memorized secret guidance lays out that stance.
Microsoft makes a similar point for organizational policies: rigid rules like mandatory symbols can push people into predictable patterns (like Password!1) that attackers already try first. Microsoft password policy recommendations explains how common requirements can lead to normalized, guessable choices.
So yes, special characters can help. The win comes when they’re part of a longer password or passphrase you can type reliably, not a forced puzzle you solve once and then forget.
What makes a “good” special character choice
Pick symbols that meet two goals at the same time: the site accepts them, and you can enter them on every device you use. That sounds basic, but it’s where a lot of people get burned.
Focus on typing reliability
Characters that are easy to find on both desktop and mobile keyboards tend to cause fewer lockouts. Think: ! @ # $ & * – _ .
Characters that tend to cause trouble are the ones that look similar (like | and l), require long-press menus on phones, or get auto-changed by smart punctuation. Curly quotes (“ ”) and apostrophes (’), for instance, can sneak in if you paste from a notes app that “prettifies” punctuation.
Avoid patterns attackers expect
If you use a symbol, don’t default to the most common pattern. A lot of people do a capital first letter, then a word, then a number, then an exclamation point. Attack tools know that habit.
A better move is to use length plus a structure that isn’t a cliché. A passphrase with separators is easy to type and less likely to fall into the “Password!1” family. A symbol can act as that separator.
Don’t sacrifice length for symbols
If you’re choosing between adding one more word to a passphrase and swapping letters for symbols, take the extra length. Symbols can help, but length is usually the bigger lever for user-made passwords.
Taking special characters in your password seriously without making it fragile
Here’s a practical way to build something strong that you can still enter on a bad day, on a phone, or on a hotel keyboard:
- Start with a long base: a few words you can remember in order.
- Add separators you can type quickly, like hyphens or periods.
- Add one symbol you won’t forget and won’t get “smart-typed” into a different character.
- Add uniqueness per site, so one breach doesn’t domino into others.
If you use a password manager, you can go further and use long random strings that include a wide character set. That’s often easier than trying to out-clever your own memory.
Common special characters and where they break
Most sites accept a familiar set of symbols, but the rejection cases cluster around a few types: characters that mean something in code, characters that get re-encoded, and characters that vary across keyboard layouts.
The table below shows what typically works, what often fails, and why. Use it as a fast checklist when a site says “special character required” but stays vague.
| Character type | Examples | Why some systems reject it |
|---|---|---|
| Basic punctuation | ! . , – _ | Usually accepted; low risk of parsing issues; easiest to type on most keyboards. |
| Currency symbols | $ € £ ¥ | Some validators limit to ASCII; some legacy systems mishandle non-US symbols. |
| Brackets and braces | ( ) [ ] { } | May be blocked by narrow allow-lists or older directory integrations. |
| Quotes | ‘ ” “ ” ’ | Quotes can trigger escaping rules; curly quotes can be a different character than you expect. |
| Slashes | / \ | Backslash is a common escape character in software; some systems restrict it to reduce edge cases. |
| Angle brackets | < > | Often blocked to prevent injection issues; many sites disallow them in inputs. |
| Pipes | | | Can be confused with similar glyphs; sometimes restricted because it has meaning in shells and logs. |
| Spaces | [space] | Some systems trim leading or trailing spaces; copying can add invisible extra spaces. |
| Unicode symbols | • ✓ ★ | Not always accepted; normalization can change what’s stored vs. what you typed. |
What “special character required” usually means on real sites
When a site says it needs a special character, it’s usually enforcing a simple checkbox rule: “At least one character not in A–Z, a–z, 0–9.” That’s it.
Some sites tighten that into “at least one symbol from this set.” They might show it as a list, or they might quietly enforce it. If they show a list, follow the list. If they don’t, stick to safe, common choices: ! @ # $ & * – _ .
Some systems also treat an underscore as a letter-like character and refuse to count it as “special.” Others count it. That inconsistency is why you should test a login once after setting a new password, on the device you’ll use most.
Why some systems discourage special character rules
Composition rules can backfire. People tend to comply in predictable ways, and predictability is what attackers exploit. Many users end up with patterns like one symbol at the end, one digit at the end, and the rest as a familiar word. Attackers try those patterns first.
Modern guidance leans toward allowing users to use any characters they want, allowing paste (so password managers work smoothly), screening new passwords against known compromised values, and using length as the core baseline. That approach reduces lockouts and reduces the “I must invent a weird password I can’t type” problem.
If you run a site or app, this matters because user friction becomes support tickets, password resets, and account takeover risk from reused passwords. Your policy choices shape user behavior.
What Is a Special Character in a Password? With practical rules that work
Here are rules you can apply without turning password creation into a math test:
- Use length first. A longer password or passphrase is hard to guess and easier to make unique.
- Use symbols as separators, not decorations. A hyphen between words is easier than swapping letters for symbols.
- Prefer characters you can type everywhere. If you can’t type it quickly on your phone, don’t use it.
- Avoid the “one symbol at the end” habit. Put separators in the middle, or use more than one separator.
- Use a password manager when you can. It removes the memory tax and helps you avoid reuse.
How to troubleshoot when a site rejects your special character
When a password form keeps erroring out, the fix is usually mechanical. You don’t need to guess; you need to narrow down what the system accepts.
Start by removing the characters most likely to be blocked: quotes, angle brackets, backslashes, and spaces. Then switch to a conservative set: ! @ # $ & * – _ . If that still fails, the site might be restricting length, blocking repeated characters, or disallowing certain patterns.
| Problem you see | Likely cause | Fast fix |
|---|---|---|
| “Special character required” but your symbol “doesn’t count” | The validator only accepts a specific symbol set | Use one of: ! @ # $ & * – _ . then try again. |
| Password works on desktop, fails on mobile | Mobile keyboard entered a different character (smart punctuation) | Re-type using straight quotes and basic symbols; avoid curly quotes. |
| Password reset email link works, new password fails at login | Encoding or trimming changed what got stored | Avoid leading/trailing spaces; avoid Unicode symbols; try ASCII symbols only. |
| Copy/paste makes it fail | Hidden whitespace got included | Paste into a plain text field first, then re-copy; remove spaces at ends. |
| “Invalid character” error | System blocks characters with special meaning in code | Remove < > ‘ ” \ | and retry with safer symbols. |
| “Too long” or silent failure | Site has a low max length limit | Shorten while keeping uniqueness; keep separators; avoid long repeated strings. |
| Login fails only after changing keyboard language | Different layout produces a different symbol | Switch back to the layout used during creation; then reset with a simpler symbol set. |
| Account locks after a few tries | Typing errors compound quickly | Stop, reset once, then save in a manager to avoid repeated mis-types. |
Special characters and password managers
Password managers change the whole equation. You don’t have to invent a clever pattern. You can generate a long random password with letters, numbers, and symbols, then fill it automatically on every device.
If a site blocks certain characters, a good manager lets you set character rules per site. That solves the “this bank hates my password” problem without weakening every other login you have.
If you don’t want a manager, a long passphrase with simple separators is the next best choice. It’s easier to type, easier to verify visually, and less likely to break across devices.
Quick checklist before you commit a new password
- Can you type it on your phone without hunting through menus?
- Did you avoid curly quotes and rare Unicode symbols?
- Is it long enough that you didn’t need to rely on symbol tricks?
- Is it unique to this site?
- Did you test one login right after setting it?
If you can answer “yes” to those, your special characters are doing their job: adding variety without adding fragility.
References & Sources
- NIST.“Digital Identity Guidelines: SP 800-63B (Authentication and Lifecycle Management).”Explains modern password guidance that prioritizes length and discourages forced composition rules.
- Microsoft Learn.“Password policy recommendations (Microsoft 365 admin).”Describes how common complexity requirements can lead to predictable, weaker password choices and suggests better policy defaults.