>The more restrictive you make the rules, the less likely the user will remember what it is, even with a passphrase. The rules should accept all letters, numbers, and special characters. You can require things like "must have upper/lower case, special character, etc", but don't tell users they can't use them.
>
>I recently was forced to change my password on a web site. It came up and said, "To make your password more secure, we require you change it", Then I was told I couldn't use special characters. That alone made my new password LESS secure than the one I was already using.
Ok, thanks, I was revisiting some analysis in regards to an application for a client I have to maintain and this has been very valuable.