The NIST Official Who Mandated Special Characters in Passwords Has Apologized
The article traces the 2003 NIST password guideline that forced mixed‑case, numbers and symbols, shows how billions followed the same predictable patterns, presents real‑world leak analysis and the famous xkcd comparison, and explains why the rule was revised in 2017 yet still lingers.
Origin of the complexity rule
In 2003 Bill Burr, a mid‑level manager at NIST, authored SP 800‑63B Appendix A, an eight‑page document that defined three password requirements: include both upper‑ and lower‑case letters, at least one digit, and at least one special character; require a change every 90 days; forbid reuse of recent passwords.
The draft was based on a 1980s whitepaper written before the Internet existed, yet it became the de facto global standard for banks, schools, companies and virtually every website registration page.
Empirical evidence of user behavior
Analysis of large breach datasets such as the LinkedIn leak (hundreds of millions of passwords) showed a striking uniformity: users placed the uppercase letter at the beginning, the digit at the end, and an exclamation mark (or another punctuation) as the special character. Example passwords observed include Password1!, Summer2024!, Zhangsan123#. Cracking tools have incorporated these exact patterns into their dictionaries, allowing such passwords to be cracked in seconds.
Entropy comparison illustrated by xkcd
Randall Munroe’s 2011 xkcd comic contrasted two passwords: Tr0ub4dor&3 – mixed case, digit substitution, special character, ~28 bits of entropy. correct horse battery staple – four random common words, no case or symbols, ~44 bits of entropy, and far easier to remember.
The comic notes that the second password is orders of magnitude stronger while being more memorable.
Policy revision
In 2017 NIST updated its digital‑identity guidelines: the mandatory special‑character rule and the 90‑day rotation requirement were removed, and the agency began recommending long, memorable passphrases instead. In a Wall Street Journal interview, Bill Burr said, “Much of what I did, I now regret.”
Current situation
Despite the 2017 revision, many registration forms still display the legacy rule “password must contain uppercase letters, numbers and special characters,” so billions of users continue to follow a policy that its own author has repudiated.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
IT Services Circle
Delivering cutting-edge internet insights and practical learning resources. We're a passionate and principled IT media platform.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
