[r1cka]

This is years ago now, but every ampersand in my passwords came across wrong. I can't recall if it was missing or url encoded, but even passwords weren't safe.

[xd1936]

I'm still finding passwords in Bitwarden to old accounts that have `&` in them. Thanks, LastPass!

[bb88]

Your password is safely html encoded for distribution on the web.

[namkt]

Like on Hacker forums? :)

[userbinator]

That is especially surprising, considering that passwords are more than likely going to contain special characters.

[eru]

LastPass's own generator puts them in there.

[fomine3]

Avoid such trouble is why I want to avoid using symbols for password. Just use more alphanum characters for strength.

[r_c_a_d]

I want to as well, but annoyingly there are many sites that insist on a "special" character because their strength measure says "low" for the 20 character alphanumeric string I generated %-}

[wonderwonder]

My favorite is when they actually limit what special characters you can use. Must include 1 of x special characters. Why? I always just assume they baked their own password storage and couldn't figure out how to handle the whole set of special characters

[jaywalk]

Multiple times I've found that this is caused by a web application firewall that is intended to mitigate SQL injection attacks. So they disallow the characters that would commonly be used in those attacks.

[wonderwonder]

Interesting, I had never considered that

[yencabulator]

On those sites, I generally insert the same fixed uppercase-and-symbol string on my zbase32ed-entropy passwords. Zbase32 tends to produce numbers already, and that combo tends to satisfy the silly sites.

[xnickb]

Or just use proper tools that work.