There are no hard-and-fast rules that everyone must obey when it comes to passwords at all, much less an "approved character list". Different sites - and different applications - will enforce different policies which may involve:
* Password minimum length
* Password maximum length
* Numeric characters required
* Upper and lower case required
* Special characters (i.e. non-numeric, non-alphabetic) required
* May not contain words in a dictionary (so no "my%password" or similar)
But don't have to.
Strong passwords are important, but they are not easily remembered, so they can reduce security considerably: the '"post-in-password" stuck to the side of the monitor' syndrome.
It's up to you what to do - though estimating password strength can help users by encouraging them to use stronger ones
* - the really important thing from your side is to ensure that you store it properly, rather than trying to force a user to strengthen his selection. That's more complicated than you might think:
Password Storage: How to do it.[
^]
* My bank does this: it rated mine as "Wow! Now that's a strong password!" But I have no idea what my password is: my password manager deals with that, not me!