Complex symbol passwords are always strongest
NIST's current password guidelines (SP 800-63B, updated 2024) explicitly state that password length is more important than complexity, and that mandated composition rules such as required symbols and forced rotation often weaken security by producing predictable patterns.
What we know
For decades, users were told that a short password like 'P@ssw0rd1!' was more secure than a long, simple passphrase. NIST revised these guidelines based on research showing that complexity requirements lead to predictable substitutions (@ for a, 3 for e, ! at the end) that attackers already account for in their cracking dictionaries.
NIST SP 800-63B (2024 revision) recommends that systems allow passwords of at least 64 characters, permit all printable ASCII and Unicode characters, avoid periodic mandatory rotation unless there is evidence of compromise, and not require specific composition rules. The key insight is that a random or memorable 20-character passphrase is computationally far harder to crack than a 10-character string with mixed symbols.
In practice, the most common real-world attack vectors are credential stuffing (using leaked passwords from data breaches), phishing, and malware, not brute-force cracking of individual passwords. Against these attacks, password length and uniqueness per site matter far more than symbolic complexity. Password managers are the recommended solution as they generate and store long, unique, truly random passwords for every site.
Common claims
- A password like 'P@ssw0rd1!' is highly secureFalse. Common substitution patterns are built into cracking dictionaries and are not as secure as their apparent complexity suggests.
- Longer passwords are stronger than shorter complex onesTrue. NIST SP 800-63B confirms length is more important than composition complexity.
- You should regularly change your passwordsContested. NIST recommends against forced rotation unless compromise is detected, as rotation leads to predictable incremental changes.