Here's how Morris Lewis determined that his 14-character SQL Server password could contain 41 possible characters. Each position in the password could have the characters A-Z, a-z, 0-9, or any of the symbols #, $, %,^, &, -, +, =, ~, |, <, >, _, and `. Those are the symbols on Lewis's keyboard that aren't prohibited, and Lewis didn't use symbols that are available in the character set but not on the keyboard. So, you have 26 + 26 + 10 + 14 = 76 possible characters in each position. Unfortunately, Microsoft stores passwords as a hashed value that translates lowercase characters to uppercase characters, so you lose 26 characters. Most people probably use the shifted number-key characters, which are legal, so the symbols that are possible are #, $, %, ^, and &. That leaves 26 + 10 + 5 = 41 possible characters in each position.