It depends entirely on the authentication system. Consequently those systems should state *exactly* what constitutes a valid password. In particular they should state which characters are valid.
At one site I submitted a password containing a '#' character. When I returned to login again I found that my password didn't work. Surely the '#' hadn't been interpreted as the start of a comment? So I tried the password again minus the characters from the '#' onwards. It worked! The idiot who had implemented the authentication system was parsing the password somehow, maybe in a scripting language. Yikes.
I regularly use 12-character passwords containing special characters as well as alphanumeric characters. Except backslash ('\'). Even I dare not use a backslash!
I keep my passwords in a simple text file which is then encrypted with GPG. I would never decrypt it on any machine but my own.
Edited by linux (Mon 21-May-07 12:49:15)