Uppercase, lowercase, number, symbol - it's the mantra repeated over and over by IT admins when they set password rules. Throw in the requirement to change those passwords every 30 days or so, and not repeat an old password or even have characters in the same place over some arbitrary cycle and you suddenly have a complex set of rules that makes life really hard for users. And the guy who penned many of these rules, Bill Burr from NIST, says he screwed up.