Our validation takes in inverse approach. The setting is actually to require a non-alphanumeric character. So any character that is not alphabetic, or a digit, will satisfy this requirement.

There is not a fixed set of symbols as this would reduce the password entropy, which is generally a bad idea.