Password complexity rules break down when attackers can still automate guesses, reuse breached credentials, or crack offline hashes. Complex passwords help, but they do not prevent credential stuffing, leaked-secret reuse, or compromised admin access. Teams need controls that reduce the value of the password itself, not just its format.
Why This Matters for Security Teams
Password complexity rules are often treated as a primary control, but they mainly change how passwords are constructed, not how they are attacked. Attackers can still use credential stuffing, phishing, password spraying, or offline cracking after a hash leak. That means complexity can create friction for users without materially reducing account takeover risk.
The real issue is that password policy is a brittle control when identity reuse, shared admin credentials, and secrets stored outside a vault remain in place. NHI Management Group notes that 79% of organisations have experienced secrets leaks, with 77% resulting in tangible damage, which shows how often the password problem becomes a broader secrets problem. The NIST Cybersecurity Framework 2.0 emphasises outcomes such as stronger identity verification, access control, and resilience, not password complexity alone. The Ultimate Guide to NHIs also highlights how widely exposed non-human credentials are across modern environments.
In practice, many security teams discover the weakness only after reused credentials, leaked secrets, or compromised admin access have already been exploited.
How It Works in Practice
Complexity rules typically enforce minimum length, character variety, and rotation requirements. That can help against trivial guessing, but it does not stop modern abuse patterns because attackers do not need to guess passwords one account at a time. They automate across thousands of credentials, reuse breached passwords, and target whichever account still accepts weak or previously exposed secrets.
What matters more is reducing the value and lifespan of the credential itself. For human users, that means phishing-resistant authentication, strong MFA, and detection for abnormal login patterns. For NHIs, the answer is different: static secrets should be replaced or wrapped with workload identity, short-lived tokens, and just-in-time access where possible. The Ultimate Guide to NHIs is clear that long-lived secrets, poor rotation, and excessive privileges create the conditions for compromise. In that context, password complexity becomes a minor hygiene measure, not a control that changes the threat model.
- Use complexity as a baseline, not a trust signal.
- Block known-breached passwords and reused credentials.
- Prefer MFA or phishing-resistant methods over password-only access.
- Eliminate shared admin passwords and move privileged access to PAM.
- For machine access, use short-lived credentials and workload identity instead of static secrets.
Current guidance suggests that complexity-only programs break down fastest in environments with password reuse, service accounts, CI/CD secrets, or internet-facing admin portals because those conditions let attackers bypass human memorability rules entirely.
Common Variations and Edge Cases
Tighter password rules often increase help desk load and user frustration, so organisations have to balance stronger construction rules against usability and lockout risk. That tradeoff matters, but it should not distract from the larger control gap: a very complex password is still vulnerable if it is reused, phished, logged, or extracted from a compromised endpoint.
There is no universal standard that says complexity requirements alone are sufficient, and current best practice is evolving toward risk-based authentication and secret minimisation. For NHI-heavy environments, complexity is often the wrong lens entirely, because API keys, service account credentials, and automation tokens are not protected by human password policies at all. NHI Mgmt Group’s research shows that 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, which aligns with the idea that identity assurance must extend beyond human passwords.
In high-risk cases, such as legacy applications, shared administrative workflows, or environments with limited MFA support, teams may still need password complexity as a compensating control. Even then, it should be paired with rotation, vaulting, detection, and access segmentation rather than treated as a standalone defense.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Static secrets and weak rotation are a core failure mode behind password-only reliance. |
| NIST CSF 2.0 | PR.AC-4 | Access control outcomes matter more than password format alone. |
| NIST AI RMF | Risk-based identity decisions fit the move away from password-centric security. |
Replace long-lived credentials with rotation, vaulting, and short-lived access paths.
