Funnily enough I opened a new bank account the other day (Chase) and to my surprise they don't allow special characters to be used in the passwords.
Special characters don't make as much of a difference as password length: http://xkcd.com/936/ (a comic that must appear on any password-related thread). According to the XKCD analysis, an 8 character password based mostly on letters with some numbers and symbols has ~28 bits of entropy, while a random four word password has 44 bits. [Edit to add: http://news.ycombinator.com/item?id=4083381 claims over 3 billion MD5 hashes a second for $1000, meaning your 28-bit password could be cracked effectively instantaneously by a high school kid buying phishing gear with stolen credit cards or a summer job].
If you're an international web site, it might make sense to disallow symbols, as your customers may not be able to enter their chosen symbols when traveling internationally.
The short XKCD password is based on a dictionary word, making it vulnerable to intelligent brute force (oxymoron of the day).
I imagine the calculation goes something like this:
1/50000 Likelihood of a particular uncommon word
1/8 Substitute up to three letters for numbers
1/2 Initial capital or initial lowercase
1/32 Add a punctuation character at the end
1/10 Add a digit at the end
1/2 Possibly swap punctuation and digit at the end
----------------------------------------------------------
1/512000000 Resulting probability
-28.93157 log2(1/512000000) -- number of bits of entropy
So, if e.g. XKCD assumed only 25000 uncommon words to choose from, that would give ~28 bits of entropy.
Thanks for the thorough answer! I originally missed the part about using a real word as the base.
For my passwords, I use 8 character random strings so hopefully I am a little safer. Although, as I'm learning from all of these password leak debacles, you are only as secure as the systems using those passwords.
Special characters don't make as much of a difference as password length: http://xkcd.com/936/ (a comic that must appear on any password-related thread). According to the XKCD analysis, an 8 character password based mostly on letters with some numbers and symbols has ~28 bits of entropy, while a random four word password has 44 bits. [Edit to add: http://news.ycombinator.com/item?id=4083381 claims over 3 billion MD5 hashes a second for $1000, meaning your 28-bit password could be cracked effectively instantaneously by a high school kid buying phishing gear with stolen credit cards or a summer job].
If you're an international web site, it might make sense to disallow symbols, as your customers may not be able to enter their chosen symbols when traveling internationally.