September 18, 2025

Stop requiring special characters, uppercase, or numbers in passwords

I’m honestly bored of trying to sign up on websites that force me to use !, @, #, ?, uppercase letters, and numbers. Password policies that demand a mix of symbols, caps, and digits are outdated, annoying, and, let’s be honest, mostly useless.

For decades, websites have required users to follow cumbersome rules: replacing a with @, capitalizing the first letter, and adding 1!, all in the pursuit of “strong” passwords.

But it doesn’t. Not really.

Why these rules don’t help

Hackers know exactly how humans behave. Most of us:

• Append a single symbol at the end
• Capitalize only the first letter
• Use the same predictable substitutions across accounts

Password123! might satisfy a site’s rules, but it’s still one of the first passwords any cracking tool will guess.

Forcing symbols, numbers, or uppercase letters gives a false sense of security. Predictable patterns hurt more than they help.

The math says length beats complexity

Password strength comes down to entropy, how unpredictable a password is. A simple formula:

$$\text{Entropy} = L \cdot \log_2(N)$$

• $L$ = length of the password
• $N$ = number of possible symbols

Here’s a concrete comparison of brute-force effort:

Password: 8cH@r1!s

• Characters used: lowercase + uppercase + numbers + symbols (~94)
• Length: 8
• Entropy: ~52 bits
• Estimated time to brute-force: hours to days

Password: dpabwnhliufrxcsoqmvktgej

• Characters used: lowercase only (26)
• Length: 24
• Entropy: ~113 bits
• Estimated time to brute-force: trillions of years

Notice that a 24-character lowercase-only password outruns an 8-character “complex” password by astronomical margins. Doubling or tripling length beats adding uppercase, numbers, or symbols every time.

Passphrases are smarter

Long sequences of words (passphrases) are easier to remember, easier to type, and far harder to guess. Crypto wallets use seed phrases for this reason.

Example:

• Tr0ub4dor&3 → short, complex, predictable
• correct horse battery staple → long, simple, virtually unguessable

Conclusion

Stop requiring !, @, #, ?, uppercase letters, or numbers. They do almost nothing. Focus on:

• Length over complexity
• Random, unique passphrases
• Tools like password managers

Anyone building a product or website should design password rules with real security and usability in mind. Overly strict rules frustrate users, lead to predictable patterns, and often reduce security rather than increase it.

Optional symbols are fine, but they should never be mandatory.