[brendoncarroll]

I can think of a few reasons to exclude a character:

- Requires quoting or escaping in the shell or some other programming environment

- Hard to type on mobile keyboard.

- Not in a given person's touch-typing repertoire.

The correct way to think about password security is as randomly generating a binary string of the desired security strength/length and then encoding it. If you generate 16 random bytes, that's 128 bits of security whether you encode it with hex, base32 or base64.

Required characters also do little to improve security, since there is usually only 1 of each kind of required character, and it's often at the beginning or end. They don't cause the user to select a random string from a meaningfully larger space.