Skip to content
MixedSecurityLast updated: July 10, 2026

Complex symbol passwords are always strongest

Modern security guidance from NIST has shifted away from requiring complex mixes of symbols, numbers, and mixed case toward emphasizing overall password length and uniqueness, since long random passphrases are often both more secure against modern cracking methods and easier for people to actually use.

What we know

For many years, common password policy required users to include a mix of uppercase and lowercase letters, numbers, and special symbols, based on an assumption that this complexity requirement would make passwords harder to guess or crack. This guidance originated partly from a 2003 document written by Bill Burr, then a manager at the National Institute of Standards and Technology, which recommended these complexity rules and became the basis for password policy across much of the technology industry and many corporate and government systems for over a decade.

Burr himself told the Wall Street Journal in 2017 that he regretted much of that original guidance, and NIST substantially revised its official password guidelines in Special Publication 800-63B, first published in 2017 and updated since, moving away from mandatory complexity requirements and toward an emphasis on password length as the primary driver of resistance to cracking, along with checking new passwords against lists of commonly used or previously breached passwords rather than imposing arbitrary composition rules.

The rationale behind this shift is grounded in how modern password attacks actually work. Brute-force and dictionary-based cracking tools benefit far more from a password's overall length than from the presence of specific character types, and complexity requirements often push users toward predictable patterns, such as capitalizing the first letter and adding a single digit or symbol at the end, patterns that automated cracking tools have been specifically optimized to test first, reducing the actual security benefit complexity rules were intended to provide. A long passphrase made of several unrelated words, an approach popularized by online security commentary including a well known XKCD comic illustrating the mathematics involved, can be both easier for a human to remember and more resistant to cracking than a shorter password stuffed with symbols, because the total number of possible combinations, called the keyspace, grows more from adding additional characters or words than from expanding the character set of a fixed-length password.

Complexity requirements also have a well documented behavioral cost: users facing frequent forced password changes and strict composition rules frequently resort to reusing similar passwords across multiple accounts with minor variations, or writing passwords down insecurely, both of which undermine the security complexity rules were meant to achieve. NIST's updated guidance explicitly recommends against mandatory periodic password expiration for this reason, since forced frequent changes tend to produce weaker, more predictable password choices over time rather than stronger ones.

The single most effective password security practice according to current guidance from NIST, the UK's National Cyber Security Centre, and major security firms is not password complexity but avoiding password reuse across different accounts, since a password compromised in one data breach is frequently tried automatically against other accounts using the same or similar credentials, a technique called credential stuffing that succeeds specifically because of widespread password reuse. Password managers, which generate and store long, unique, random passwords for every account, address this problem directly and are now broadly recommended by security agencies as a practical solution, alongside multi-factor authentication, which provides a security backstop even when a password is compromised through any means.

Common claims

  • A password like 'P@ssw0rd1!' is highly secureFalse. Common substitution patterns are built into cracking dictionaries and are not as secure as their apparent complexity suggests.
  • Longer passwords are stronger than shorter complex onesTrue. NIST SP 800-63B confirms length is more important than composition complexity.
  • You should regularly change your passwordsContested. NIST recommends against forced rotation unless compromise is detected, as rotation leads to predictable incremental changes.