Good password-security software should allow ANY UTF-8 character for each character in your password. The software should also store your password by performing an irreversible, collision-free hash on it (and do other things like salting). Consider the two passwords created using my theoretical good password software:
adba.3gVWhich is stronger? The answer is, they're both equally strong. Why? Because the software uses UTF-8 encoding for each character in the password, and has processed the passwords using an irreversible hash. This means as far as the hacker is concerned, the number of possible characters for each character is 256*, for both passwords, regardless of the variety of characters used. To increase the strength of the password, you have to add more characters, not increase the variety.
The problem is, not everyone is very good at writing software
. Some password-software devs block the use of special characters and/ or numbers, thus reducing the number of possible characters per character. Also, if the security software uses partially-reversible/ reversible hashing (*cough cough ADOBE*), then using numbers and special characters can still sometimes prevent your password from being cracked.
The most common way a hacker cracks a password these days is by either (a) phishing/ social engineering or (b) by guessing your password. (a) can be avoided by being careful about whom and where you give it to. (b) is avoided by not picking predictable passwords (e.g. "password" or "password1234" or "passw0rd" or making the password and username the same; There are many other examples to avoid).
Another idea is to use some piece of software which creates ridiculously long passwords + stores them hashed, and requires a master password, created by the user to decrypt them. Maybe in the future if we can get some trustworthy biometrics we won't need to worry about all this
.
*note that if you use certain UTF-8 characters, depending on the software you can increase the number of possible characters per character to 2^64.
