How many of your online passwords include uppercase and lowercase letters, numbers, and special characters? It’s probably because of a document from 2003 that you’ve never heard of.

The author of the U.S. Department of Commerce National Institute of Standards and Technology’s NIST Special Publication 800-63. Appendix A tells The Wall Street Journal he made a mistake 14 years ago when he recommended a secure password include a complex formula and get updated often.

The 2017 version of that NIST publication explains that password complexity not only makes it harder for people to memorize their passwords but also wasn’t necessarily making them more secure. In addition, it says that passwords only need to be updated when there’s been a breach, like when you hear hackers hit your bank or favorite online shop.

What makes a password more secure?

Forget capitalization, numbers, and characters. Use a long string of random words you can remember. The updated NIST publication says password length is usually the main factor for password strength, because short passwords are more susceptible to being cracked. So, applepoetrysaute is stronger than P@ssw0rd1!–and surprisingly easier to remember.