Re: Special characters
Well good news John, P455w0rd36 is in fact not in any password breaches known to haveibeenpwned.com.
Too bad it's been burned now!
But yes, as Len described, once a password has appeared in a breach of plaintext passwords (probably pinched from some site that stored them in the clear or used weak hashing), then it's in every password-cracker's dictionary. If they lift a database of password hashes from a site where you used one of those passwords, then they will decrypt it via a dictionary attack, even if an expensive hash function was used in that case.
Apparently haveibeenpwned has a dictionary of "hundreds of millions" of exposed passwords. So in cracking terms, any password that's in that list, no matter how long or complex, is reduced to about the level of a 5-character alphabetic password (380 million combinations).