Steven D'Aprano writes:
I wouldn't include punctuation [in the password alphabet] by default, as too many places still prohibit some, or all, punctuation characters.
Do you really expect users to choose their own random passwords using this function? I would expect that this function would be used for initial system-generated passwords (or system-enforced random passwords), and the system would have control over the admissible set. But users who have to conform to somebody else's rules much prefer obfuscated passwords that pass strength tests to random passwords in my experience. BTW, the last time I had to set a password that didn't allow the full set of 94 printable ASCII characters, uppercase letters were forbidden (silently -- it was documented in the help but not on the password change form, I had no idea why my first three suggestions were rejected). Go figure.