Evaluating the Impact of Special Characters on Password Security: A Comparative Analysis

Text-based password authentication remains essential for identity verification on internet platforms and blockchain systems. However, as computational power advances, security threats to user passwords have intensified, raising concerns about their effectiveness. While special characters (i.e., non-alphanumeric symbols, which include punctuation marks, mathematical symbols, and other non-letter/number characters like ‘.‘, ‘@’, ‘#’,’ '$', and similar) are often recommended to enhance password strength, the National Institute of Standards and Technology (NIST) prioritizes length over complexity, challenging their necessity. This study fills a critical gap in understanding user behavior regarding special character usage. By analyzing 15 datasets from Chinese, English, and German languages, we examined patterns of special character incorporation and their impact on password strength. Our findings indicate that users frequently employ predictable methods for including special characters, potentially compromising security, especially under stringent policies. We present three key contributions: 1) an analysis of special character usage patterns; 2) a quantitative assessment of strength differences using the PCFG_v4.1 model; and 3) actionable recommendations for stakeholders to enhance password security practices. This research further advocates for aligning password policies with user behavior for more effective security.