The Truth Behind "Include Uppercase, Lowercase, Numbers, and Symbols"

Every time you create a new account, you're told: "Password must be at least 8 characters and include uppercase, lowercase, numbers, and symbols." Annoying, right? But this rule has a surprising history - and the shocking truth that it's not actually very effective.

Where It All Began - The 2003 NIST Document

The origin of password complexity rules traces back to "NIST Special Publication 800-63," published in 2003 by the National Institute of Standards and Technology (NIST). This document recommended that "passwords should mix uppercase, lowercase, numbers, and symbols," and web services worldwide adopted this rule.

However, in 2017, the document's author Bill Burr confessed in a Wall Street Journal interview that "much of that advice was wrong." The complexity rules merely led users to create predictable patterns like "P@ssw0rd!" and contributed little to actual security improvement.

Why Complex Passwords Are Less Effective Than You'd Think

Humans respond to complexity rules with remarkably predictable behavior.

  • Need uppercase? Capitalize only the first letter (Password)
  • Need numbers? Add 1 or 123 at the end (Password1)
  • Need symbols? Add ! at the end (Password1!)
  • Replace "a" with "@" and "o" with "0" (P@ssw0rd)

Attackers are well aware of these patterns and include them in their dictionary attack lists. In other words, even a password that looks complex can be easily cracked if the pattern is predictable.

What Makes a Truly Strong Password

The revised 2017 NIST guidelines shifted the focus from complexity rules to prioritizing "length."

  • Long passwords (passphrases): A passphrase combining 4-5 random words like "correct horse battery staple" is stronger and easier to remember than a short, complex password
  • Password managers: Tools that generate and manage unique random passwords for each service. The most secure approach. See our password security guide for practical setup tips
  • Two-factor authentication (2FA): Using an authenticator app or security key in addition to your password. Prevents unauthorized login even if your password is compromised

An 8-character random password (with uppercase, lowercase, numbers, and symbols) has about 6 quadrillion possible combinations. Meanwhile, a passphrase of 4 common English words has about 1.8 quadrillion combinations. Length is more effective than complexity.

The World's Most Commonly Used Passwords

According to research by security firm NordPass, the top 5 most commonly used passwords barely change from year to year.

  • #1: 123456
  • #2: password
  • #3: 123456789
  • #4: 12345
  • #5: 12345678

These passwords can be cracked in less than a second. Even if passwords are stored as hashes, such simple passwords render that protection meaningless. Worse, reusing these weak passwords across multiple services makes you a prime target for credential stuffing attacks.

Summary

Password complexity rules originated from a 2003 NIST document, but the author himself admitted they were "wrong." Long passphrases are stronger and easier to remember than short, complex passwords. Combining a password manager with two-factor authentication makes you even more secure. To see how exposed your current connection is, IP確認さん provides a security score along with your IP address and DNS leak test results.

Related Terms in This Article

Two-Factor Authentication An authentication method that doesn't rely on passwords alone. Your last line of defense when passwords are compromised. Encryption Passwords are stored on servers using hashing (one-way encryption). Phishing No matter how strong your password is, entering it on a phishing site means it's stolen.