There is a lot of research that I can find about security policies and usability when it comes to user passwords.
What I'm not able to find, however, is anything related to policies with FORBID special characters. We have a security specialist in IT who is insisting that the password policy must forbid special characters, because "special characters give users too many options to forget."
This sounds ludicrous on the face of it to me, because merely giving people the option to choose special characters is not the same thing as requiring them. If someone has a favorite password which contains an exclamation mark, for example, forcing them to use a different password could result in their:
A) Selecting a password that they can't remember or B) Giving up during registration and not completing the process.
Does anyone know of a white paper or research that addresses this issue?