Depending on the protocol they can be url encoded or even helpfully html encoded; the same password can be used over different protocols. It's the best to not use punctuation by default (length supplies more entropy than charset), I add -0 at the end to make dumb password policies happy.
Often, the same ones with limited punctuation also have length limits, so maximizing the character options is the only way to maximize entropy.