A composition rule is a password policy that requires certain character types, such as uppercase letters, numbers, or symbols. It is easy to audit but weak as a security measure because it measures format, not actual resistance to guessing or reuse.
Expanded Definition
A composition rule is a password policy that requires a credential to include preset character classes such as uppercase letters, numbers, or symbols. In practice, it evaluates format compliance rather than the actual strength, uniqueness, or resistance of the password against guessing, replay, or reuse. That distinction matters in NHI security because service accounts, API keys, and automation credentials are often governed by policy decisions borrowed from human IAM, even though the threat model is different.
Guidance from the NIST Cybersecurity Framework 2.0 and related identity practices increasingly favors authenticators and lifecycle controls over brittle complexity mandates. In NHI programs, the better question is not whether a secret contains the right mix of characters, but whether it is generated, stored, rotated, scoped, and revoked correctly. NHIMG’s Ultimate Guide to NHIs frames this as a governance issue, because weak secrets management is usually a lifecycle failure, not a formatting failure.
The most common misapplication is using composition rules as a substitute for entropy, rotation, and access control, which occurs when teams treat a policy checkbox as proof of credential resilience.
Examples and Use Cases
Implementing composition rules rigidly often introduces user friction and brittle automation, requiring organisations to weigh easy policy enforcement against weaker real-world assurance.
- Legacy service accounts are forced to include symbols and uppercase characters, but the secret is still hard-coded in a build pipeline, creating false confidence.
- An API key passes a composition check yet remains unchanged for months, which makes rotation discipline more important than format compliance.
- A secrets vault enforces password length and character mix, but access policies are weak, so the main risk comes from poor authorization rather than composition.
- Security teams replace composition rules with generated secrets, guided by the NIST Cybersecurity Framework 2.0 and NHIMG’s Ultimate Guide to NHIs, to reduce guessability and manual handling.
- Audit teams discover that a policy requiring symbols did not prevent reuse across environments, showing why composition rules alone do not address credential sprawl.
Why It Matters in NHI Security
Composition rules matter because they can distract from the controls that actually reduce exposure for non-human identities. NHIs already outnumber human identities by 25x to 50x in modern enterprises, and NHIMG reports that 97% of NHIs carry excessive privileges, which means weak or reused secrets can amplify access far beyond a single account. The same research also notes that 79% of organisations have experienced secrets leaks, with 77% of those incidents causing tangible damage, underscoring that the main danger is not an invalid character set but operational leakage and overprivilege.
In NHI programs, the useful control objectives are secure generation, storage outside code, scoped access, rotation, offboarding, and monitoring. A composition rule may help satisfy an audit artifact, but it does little to stop a compromised pipeline, a leaked config file, or an unrevoked API key. For that reason, practitioners should treat composition rules as a low-value legacy signal and prefer controls that measure actual secret resilience.
Organisations typically encounter the limits of composition rules only after a leaked credential is reused in production, at which point secret governance becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Composition rules are a weak proxy for secret quality, which NHI-02 addresses through secret handling controls. |
| NIST CSF 2.0 | PR.AC-1 | Identity and credential management under CSF emphasizes secure access, not password composition alone. |
| NIST SP 800-63 | 5.1.1.2 | Digital identity guidance de-emphasizes composition rules in favor of memorability and verifier strength. |
Replace format-only password checks with generated secrets, storage controls, rotation, and scoped access review.
Related resources from NHI Mgmt Group
- What is the difference between behavioural analytics and traditional rule-based monitoring?
- Why does the 72-hour breach reporting rule matter for IAM and security teams?
- How should security teams govern bulk sensitive data transfers under the DOJ rule?
- How should crypto platforms implement Travel Rule compliance without creating excessive operational overhead?
