The man responsible for your requirement to use a combination of lower-case letters, upper-case letters, numbers, and symbols in passwords at least eight characters long is now regretting his advice. Former National Institute of Standards and Technology manager Bill Burr recently admitted in an interview with The Wall Street Journal that his 2003 document about crafting strong passwords and changing them every 90 days was somewhat off the mark.
At the time, he said that users will choose an easily remembered, easily guessed password, and likely one stemming from a batch of a few thousand commonly chosen passwords. In turn, hackers trying to gain access to user accounts, computers, and so on would try the most likely chosen passwords first. But even though services would reject specific passwords given their common use, Burr suggested a more secure alternative.
On page 52 of the 2003 document, he clearly states that systems should rely on a password of eight characters or more that are selected from an alphabet of 94 printable characters. This password should also include at least one upper case letter, one lower case letter, one number, and one special character. Systems should even rely on a dictionary that prevents users from including familiar words and using their login name as the password too.
The problem with this method is that users tend to have patterns when creating a password. For instance, they may take a familiar word, such as password, and alter it slightly to meet the requirements. The result could be something like P@zzwurd2017, which isnt all that original, and something we conjured up in a matter of seconds.
Right now, systems give users a thumbs-up when they follow the current standard and even provide a visual measurement tool indicating the passwords strength against hacking. But then users are requested/forced to change their password every 90 days, thus they may use the same base word, but alter the character usage to please the update process (such as P@ssw0rd2K17).
When the guidelines were created in 2003, they were not based on collected data. System administrators would not cough up any passwords for examination, thus Burr turned to a whitepaper published in the 1980s long before the general American population purchased a modem and jumped onto the world wide web using Netscape or America Online.
Fast forward to 2017, and the National Institute of Standards and Technology provides new guidelines for systems to follow. Authored by technical adviser Paul Grassi, it tosses out much of what Burr established years ago. But Grazzi admits that Burrs system lasted for 14 years, and hopes that his revised password ruleset lasts just as long. He suggests that systems remove the 90-day password refresh and the requirement for special characters.
Article is from 2017 but still relevant since you most likely still use his standard.