Is it bad to use special characters in passwords?
Language-specific characters are typically avoided by password generators because they would not be universally available (US keyboards don't have accented characters, for instance). So don't take their omission from these tools as an indication that they might be weak or problematic.
The larger the symbol set (a-z
, A-Z
, 0-9
, etc.) the larger the pool of possible characters to try to guess when bruteforcing a password. Adding language-specific characters adds to the pool, and that can be a good thing.
But be careful about how you calculate entropy. The string ààààààààààà
doesn't have a lot of entropy if you are just hitting it on your keyboard because it's convenient. Entropy is about how the characters are chosen. A randomly chosen string has high entropy and a randomly chosen string from a wide pool of characters has higher entropy.
YES!
All passwords should only contain printable ASCII characters. Not "Extended ASCII", not Latin-1, not Unicode.
The reason is that you never know what is actually received by a program when you press "à" or similar.
In many version of "Extended ASCII", "à" is encoded as (hex)85.
In ISO Latin-1, "à" is encoded as (hex)E0.
In Unicode "à" is codepoint U+00E0. When encoded with UTF-8, the result is (hex)C3(hex)A0.
Justin Time points out in a comment that there is another possibility. Even if everybody talks Unicode, "à" can be stored in different ways. There is U+00E0 as listed above, but there is also a composed version (U+0061 U+0300) which is "a" followed by (COMBINING GRAVE ACCENT). A correctly written program will handle this, but it is extremely common to have bugs in this area.
Anybody who has a national character in their name or address has seen them mangled in many different ways. When this happens, it is just ugly, but the letter usually gets delivered anyway.
When this happens to a password, the result is that you cannot log in! Just don't go there.
Most of the so-called password strength checkers understand neither passwords nor entropy correctly. I have always found something ridiculous that passes as a strong password. Try your name plus your birthdate (with dots or slashes, as your locale requires). There's your upper and lowercase, special characters and numbers right there, and yet nobody in their right mind would recommend that as a password.
And yet "JohnDoe01.01.1980" scores "220 trillion years" on https://howsecureismypassword.net/ and 100% on http://www.passwordmeter.com/.
https://www.my1login.com/resources/password-strength-test/ is the only checker I found that understands the stupidity - enter this example and watch how its estimate goes from "fantastic" to "medium" as you enter the last number and it "gets" that there's a calendar date.
So: Use more than the primitive entropy calculation engines to judge passwords.
For your specific case that means:
on paper extending the character set dramatically increases the search space, and should make passwords radically more secure. in reality 99.9% of users will use their own locale and a spanish a or a german umlaut are just a few additional characters, and not the entire UTF-8 space. Because you'd be silly to assume that an attacker doesn't take basic human nature into account.
There are also the usability aspects. I once had to log into my account remotely from a japanese Internet cafe, and that was decidedly not fun. If my username, password or any of the commands I needed had included non-ASCII characters, I don't think there would have been any way of making that happen.
If it is remotely possible that you may have to log into your machine from a different keyboard then the one you are using now, too-special characters will keep you out of your own account better than a forgotten password could.
And let's not even talk about Unicode and its many broken implementations, which could cause additional issues.
These are also some of the reasons password generators avoid non-ASCII characters:
Not enough added security to compensate for all the potential problems.
And please, please, pretty please - stop thinking about password complexity. It's a snakeoil strawman bridge. Length beats complexity any day and if you're using password generators you are probably also storing them in a password manager and don't care if you type 10, 20, 40 or 200 characters.
The #1 best hint for password security is to use a new, long, random password for every Internet site you register with, so your password isn't lost in the next hack. Because you can't be sure they properly hash and salt them, and if they don't then all the complexity and special characters in the world don't matter one bit.