The password rules you hate came from one man’s 2003 memo, and he’s sorry
Capital letter, number, symbol, change every 90 days. One government engineer invented all of it, then admitted it made your passwords worse. Here’s what actually works.
⚡ TL;DR
- The password rules everyone follows, capital, number, symbol, came from one 2003 government memo.
- Its author regrets it, because forced complexity pushes people toward predictable patterns crooks guess first.
- What works: a password manager.
📖 Read time: 2 minutes
ChatGPT/Kim Komando
June 21, 2026
I need your help: Add Komando.com as a preferred source on Google
You want to use the password “ILoveKK,” but you know the drill. Along with at least one capital letter, you have to have a number and a symbol. We’ve all sworn at that little red “password too weak” bar.
Here’s the part that’ll get you. Every one of those rules traces back to one government engineer in 2003.
🔑 The memo that broke passwords
His name is Bill Burr, a mid-level manager who drew up the official password rules in a memo titled “NIST Special Publication 800-63.” It was based on a paper from the 1980s, before the web existed. His guide became gospel for banks, employers and websites everywhere.
There was one problem. It was wrong.
Bill Burr told The Wall Street Journal, “Much of what I did I now regret.” He admitted he’d been “barking up the wrong tree.”
Why? The rules backfired. Forced to bolt on a capital, number and symbol, people do the same predictable thing. “Password1!” and then “Password2!” Crooks know this.
🧠 What works
The real fix is the opposite of everything you were taught.
Length beats gibberish. Every extra character multiplies the guesses a hacker needs, while a lone symbol barely moves the needle.
A long string of random words, something like “purple-otter-canyon-biscuit,” is far harder to crack than “P@ss1!” and far easier to remember.
🔒 The catch and cure
There’s one snag. You’ve got dozens, maybe hundreds, of accounts, and nobody memorizes a different long passphrase for every one. So you reuse a favorite, and a single breach unlocks your whole life. Bank, email, the works. Or you build a little pattern and swap a couple characters, and a hacker cracks that in seconds.
Here’s the fix I use. A password manager. NordPass builds a long, unique, uncrackable password for every account, locks them in an encrypted vault and fills them in automatically on your phone and your laptop. No more sticky notes. No more “forgot password” emails. No more typing Fluffy123 into 40 different sites and hoping.
You remember one master password. NordPass remembers the other 200.
Think about how one cracked password could ruin you. Drained accounts. Frozen cards. Hours on hold with your bank trying to prove you’re you. NordPass costs less than a pack of gum a month to lock all of that down.
👉 Get NordPass now for 52% off, only $1.43 a month. BTW, I get no kickbacks or residuals if you buy. I use it and think you’d like it, too. One password to rule them all. Your move.
📩 Send this to someone who hates passwords. That would be everyone. The links below are there for you to share this story in a snap. Use them.
