Sadly, I don’t have an account at wsj.com, but this article starts off worth reading:
The man who wrote the book on password management has a confession to make: He blew it.
Back in 2003, as a midlevel manager at the National Institute of Standards and Technology, Bill Burr was the author of “NIST Special Publication 800-63. Appendix A.” The 8-page primer advised people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and numbers—and to change them regularly. (fade to white)
You can read the WSJ article if you search for the title of the article in Google and click on the wsj link from Google – that works for most news paywalls because Google downgrades links that aren’t available in full text from Google.
Anyway, the key point is the following:
The NIST rules were supposed to give us randomness. Instead they spawned a generation of widely used and goofy looking passwords such as Pa$$w0rd or Monkey1! “It’s not really random if you and 10,000 other people are doing it"
It isn’t that complicated long passwords with weird characters are bad – obviously they are better than a short dictionary word – but that there are ways to still have bad passwords that get through the system.