The NIST Official Who Mandated Special Characters in Passwords Has Apologized

The article traces the 2003 NIST password guideline that forced mixed‑case, numbers and symbols, shows how billions followed the same predictable patterns, presents real‑world leak analysis and the famous xkcd comparison, and explains why the rule was revised in 2017 yet still lingers.

IT Services Circle
IT Services Circle
IT Services Circle
The NIST Official Who Mandated Special Characters in Passwords Has Apologized

Origin of the complexity rule

In 2003 Bill Burr, a mid‑level manager at NIST, authored SP 800‑63B Appendix A, an eight‑page document that defined three password requirements: include both upper‑ and lower‑case letters, at least one digit, and at least one special character; require a change every 90 days; forbid reuse of recent passwords.

The draft was based on a 1980s whitepaper written before the Internet existed, yet it became the de facto global standard for banks, schools, companies and virtually every website registration page.

Empirical evidence of user behavior

Analysis of large breach datasets such as the LinkedIn leak (hundreds of millions of passwords) showed a striking uniformity: users placed the uppercase letter at the beginning, the digit at the end, and an exclamation mark (or another punctuation) as the special character. Example passwords observed include Password1!, Summer2024!, Zhangsan123#. Cracking tools have incorporated these exact patterns into their dictionaries, allowing such passwords to be cracked in seconds.

Entropy comparison illustrated by xkcd

Randall Munroe’s 2011 xkcd comic contrasted two passwords: Tr0ub4dor&3 – mixed case, digit substitution, special character, ~28 bits of entropy. correct horse battery staple – four random common words, no case or symbols, ~44 bits of entropy, and far easier to remember.

The comic notes that the second password is orders of magnitude stronger while being more memorable.

Policy revision

In 2017 NIST updated its digital‑identity guidelines: the mandatory special‑character rule and the 90‑day rotation requirement were removed, and the agency began recommending long, memorable passphrases instead. In a Wall Street Journal interview, Bill Burr said, “Much of what I did, I now regret.”

Current situation

Despite the 2017 revision, many registration forms still display the legacy rule “password must contain uppercase letters, numbers and special characters,” so billions of users continue to follow a policy that its own author has repudiated.

Bill Burr NIST document
Bill Burr NIST document
Password strength comparison
Password strength comparison
xkcd password comic
xkcd password comic
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

information securitypassword policyNISTpassphrasepassword entropyxkcd
IT Services Circle
Written by

IT Services Circle

Delivering cutting-edge internet insights and practical learning resources. We're a passionate and principled IT media platform.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.