TL;DR: Password complexity rules measure character variety, not real password strength, and they keep pushing users toward predictable patterns, helpdesk churn, and false compliance, according to Avatier. The stronger model is runtime enforcement with breach-corpus checks, long passphrases, and event-triggered rotation, because the old composition rule assumes attackers still behave like they did in 1995.
At a glance
What this is: This is an analysis of why composition-based password rules fail and why runtime strength enforcement is the better identity control.
Why it matters: It matters because password policy still shapes workforce IAM, and weak policy design creates avoidable risk across human identity, service accounts, and lifecycle governance.
By the numbers:
- 17 minutes.
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.
👉 Read Avatier's analysis of password complexity versus password strength
Context
Password complexity rules are a policy proxy, not a strength control. They were built for an older threat model, but modern credential attacks target predictable patterns, reused values, and breach-corpus entries that composition rules do not stop.
For IAM teams, the issue is not whether a password contains uppercase letters, numbers, or symbols. The issue is whether the policy prevents weak credentials from entering the directory at all, and whether the control is enforced consistently across self-service, helpdesk, automation, and lifecycle events.
Key questions
Q: How should security teams enforce password strength in modern IAM environments?
A: Security teams should enforce password strength at runtime, not rely on composition rules alone. The control should reject breached, reused, and predictable passwords at every creation point, including user reset, helpdesk reset, and automated provisioning. That approach reduces false compliance and stops weak credentials before they enter the directory.
Q: Why do password complexity rules still create risk in enterprise environments?
A: Password complexity rules create risk because they reward formatting instead of real resistance to attack. Users respond by choosing predictable patterns, reusing variants, or appending numbers and symbols in obvious ways. The result is a policy that looks strict but still allows credentials attackers already know how to guess or crack.
Q: How do organisations know whether password governance is actually working?
A: Organisations know password governance is working when weak credentials are blocked before storage, helpdesk reset volume falls, and breach-corpus matches are rejected consistently across all creation paths. If policy only works on the self-service page but not in admin or automated flows, the control is only partially effective.
Q: Who is accountable when password policy fails to stop weak credentials?
A: Accountability usually sits with the identity and access team that owns password policy, directory integration, and lifecycle enforcement. If a weak password can enter through one unmanaged path, the governance failure is architectural, not just procedural. NIST 800-63B and related audit frameworks expect controls that reflect actual risk, not checkbox complexity.
Technical breakdown
Why composition rules fail against modern password attacks
Composition rules measure visible variety, such as uppercase letters or symbols, but attackers do not crack passwords by checking boxes. They use breach corpora, dictionary attacks, and pattern mutation rules that turn compliant-looking passwords into easy targets. That is why 'Spring2026!' and similar variants remain weak even when they satisfy policy. The core failure is that complexity checks reward formatting, while attackers exploit predictability and prior exposure.
Practical implication: stop treating character mix as a strength signal and move to controls that reject known-bad and predictable credentials at creation time.
How breach-corpus checks change password governance
A breach-corpus check blocks passwords already known from public leaks before they are accepted into the identity store. This is a runtime control, not a static policy, which matters because strength depends on context and current threat data. If a credential already exists in attacker wordlists, its theoretical entropy is irrelevant. The control becomes materially stronger when it runs at every creation point, including admin reset, API provisioning, and migration paths.
Practical implication: enforce breached-password screening at every entry point where a password can be created or reset.
Why event-triggered rotation beats calendar rotation
Calendar rotation assumes time alone is the risk trigger, but most real risk comes from events such as breach exposure, role change, anomalous activity, or offboarding. Fixed 90-day rotation encourages incremental changes that are easier to predict and harder for users to manage. Event-triggered rotation aligns the control with actual exposure, which makes the policy more defensible and more operationally useful.
Practical implication: replace routine rotation dates with explicit security and lifecycle triggers that justify the reset.
Threat narrative
Attacker objective: The attacker seeks authenticated access that looks legitimate to the identity stack, making detection and containment harder than with a simple exploit.
- Entry occurs when an attacker uses credentials that were exposed publicly or guessed from predictable password patterns.
- Escalation happens when the same weak credential works across multiple systems because users reused it or made only incremental rotation changes.
- Impact follows when the attacker gains authenticated access to mail, cloud apps, or administrative workflows that were supposed to be protected by policy alone.
Breaches seen in the wild
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Composition rules are a proxy for compliance, not a control for actual password strength. The article is right to separate visible complexity from real resistance to attack. Password policies built around character classes assume the attacker is evaluating format, while the real attacker is evaluating exposure, repetition, and predictability. For IAM programmes, that means the policy can look strict while still leaving the credential surface weak.
The credential firewall is the more accurate governance model for enterprise passwords. Strength has to be enforced at the point of creation, not inferred from a static rule on paper. That is especially important when resets, admin actions, and automation all feed the same directory. The practitioner conclusion is simple: if a weak password can still enter through one path, the governance model is incomplete.
Event-triggered rotation is a better identity assumption than calendar rotation. Fixed rotation treats time as the signal, but risk often appears through breach exposure, role change, or suspicious activity. The old model assumes the password will survive long enough to justify routine replacement, which is exactly why it creates predictable behaviour. Practitioners should re-evaluate whether their current policy is managing exposure or only generating churn.
Strength governance now belongs in the same conversation as lifecycle discipline. Password policy does not sit apart from JML, helpdesk resets, or privilege changes. If lifecycle events are not tied to credential enforcement, the organisation keeps creating openings that policy alone cannot close. The practical takeaway is to treat password governance as part of identity lifecycle management, not as a standalone hygiene exercise.
From our research:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- Also from our research: 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- For a broader lifecycle lens, NHI Lifecycle Management Guide shows why offboarding, rotation, and revocation need to be tied together rather than managed as separate tasks.
What this signals
Credential governance is moving from static policy to runtime enforcement. The organisations that still rely on composition rules are optimising for audit language, not attacker behaviour. With 91% of former employee tokens still active after offboarding, the lifecycle problem and the password problem are increasingly the same control failure, which is why NHI Lifecycle Management Guide matters even in a workforce-password discussion.
Strength policy is becoming a lifecycle issue, not just a user-experience issue. When passwords, tokens, and service credentials are governed separately, gaps open at the handoff points. The next maturity step is to align reset, revocation, and breach-corpus screening under one operational model.
Password complexity is a legacy assumption that will keep leaking risk into IAM programmes. The practical shift is to measure whether the control blocks bad credentials, not whether it produces compliant-looking ones. That is the standard practitioners should use when reviewing OWASP Non-Human Identity Top 10-style governance for the broader identity stack.
For practitioners
- Audit every credential creation path Map each place a password can enter the directory, including self-service reset, helpdesk reset, API provisioning, migration workflows, and legacy application stores. Close any path that bypasses runtime strength checks.
- Enforce breached-password screening at runtime Reject credentials that appear in breach corpora or common pattern dictionaries before they are accepted. Apply the same check to user resets, administrative resets, and automated provisioning.
- Replace calendar rotation with event triggers Trigger rotation for breach exposure, anomalous activity, role changes across privilege boundaries, and offboarding. Remove fixed-interval rotation unless a specific control objective justifies it.
- Tie password policy to lifecycle governance Connect joiner, mover, and leaver events to credential revocation and forced reset where needed. A password policy that is not lifecycle-aware will miss the moments when risk actually changes.
Key takeaways
- Complexity rules are a poor proxy for security because they shape behaviour, not attacker resistance.
- The scale of the identity problem is visible in offboarding and secret duplication, where lifecycle controls still leave major exposure windows.
- Practitioners should move to runtime strength enforcement, breached-password screening, and event-triggered rotation tied to identity lifecycle events.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | The article centres on password memorization, strength, and composition guidance. | |
| NIST CSF 2.0 | PR.AC-1 | Access control policy must stop weak credentials from becoming active identities. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Zero Trust depends on stronger identity assurance than visible complexity checks. |
Adopt length-based password policy and remove composition rules that do not improve attack resistance.
Key terms
- Credential Firewall: A credential firewall is a runtime control that screens passwords before they are accepted into the identity store. It blocks breached, predictable, or policy-violating values at every creation point, which makes it more effective than static composition rules written only for user-facing forms.
- Breach-corpus screening: Breach-corpus screening checks a candidate password against known leaked credential datasets before approval. It does not try to guess user intent. It simply prevents already-exposed secrets from being reused, which removes one of the most common paths to account compromise.
- Event-triggered rotation: Event-triggered rotation replaces fixed calendar resets with changes driven by real risk events such as breach exposure, role change, suspicious activity, or offboarding. The value is not faster turnover for its own sake, but rotation that happens when identity conditions actually change.
- Password strength governance: Password strength governance is the discipline of ensuring credentials resist realistic attack methods rather than merely satisfy formatting rules. It combines length, uniqueness, unpredictability, and lifecycle enforcement so the control reflects attacker behaviour instead of audit shorthand.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Avatier: password complexity rules versus password strength in 2026. Read the original.
Published by the NHIMG editorial team on 2025-12-03.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
